Attached is a copy of a letter in PDF issued by OCR to the Commissioner of the Social Security Administration on the subject of authorizations. The OCR's guidance in this letter (dated April 25, 2003) was that an individual could issue a single authorization for release of "all of my medical records" , and that the authorization to disclose could be granted to "all my medical providers."  164.508(c)(1)(iii) allows multiple recipients to be named in a single authorization for specifically defined information, as long as it isn't a combined consent form (164.508(b)(3)).  Do not combine authorization for disclosure of PHI from the designated record set (DRS) and psychotherapy notes on the same authorization form. 

Covered entities may use one authorization form for all purposes. The Department adopts in paragraph § 164.508(c)(1), the following core elements for a valid authorization: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. An authorization that does not contain all of the core elements does not meet the requirements for a valid authorization. The Department intends for the authorization process to provide individuals with the opportunity to know and understand the circumstances surrounding a requested authorization.

Below is HHS response to comments received published with the August 2002 revisions to the Final Privacy Rule.

Comment: One commenter suggested that the Department should require authorizations to include a complete list of entities that will use and share the information, and that the individual should be notified periodically of any changes to the list so that the individual can provide written authorization for the changes.

Response: It may not always be feasible or practical for covered entities to include a comprehensive list of persons authorized to use and share the information disclosed pursuant to an authorization. However, individuals may discuss this option with covered entities, and they may refuse to sign an authorization that does not meet their expectations. Also, subject to certain limitations, individuals may revoke an authorization at any time.

Regards,

ShareHIPAA moderator