The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given. The revocation, however, cannot be accepted verbally, but must be in writing. In addition, the written revocation is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid Authorization.

In a recent situation dealing with a WorkSaver post-offer, pre-placement evaluation, a conditional new hire passed the exam for a WorkSaver client and was placed on the job. A few days after job placement he resigned and called the WorkSaver office indicating he wanted to revoke the HIPAA form he had signed to prevent the employer from having access to his medical records. WorkSaver was not able to honor this verbal revocation provided over the telephone but indicated that the revocation could only be accepted once the revocation was received in writing.

After further investigation, the individual was found to have the wrong perception that WorkSaver had all of his medical records on file. He was concerned that WorkSaver had information about his medical history that was unrelated to his functional capacities to work. WorkSaver informed him that the PHI on record was only the medical information provided by the individual during the WorkSaver testing process and as indicated by him on his medical history questionnaire that related to medical conditions that had an impact on functional capacities to work safely. Regardless, neither WorkSaver or the WorkSaver client had any legal exposure based on the individual’s revocation since a written revocation is not effective with respect to actions (in this case, post-offer-pre-placement fit for duty examination) a covered entity took in reliance on a valid Authorization. Once the written revocation was received, the individual’s file that contained PHI was removed from WorkSaver’s electronic storage file that was designated for access by the employer by an encrypted access code.

Employers and medical examiners should remember that the Privacy Rule requires that all Authorizations must clearly state the individual’s right to revoke; and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it, since the revocation is not effective until a covered entity which had previously been authorized to make the disclosure receives it.”

Created 9/24/03. Content created by Office for Civil Rights (OCR); Content last reviewed on July 26, 2013.

HHS Legal Guidance: https://www.hhs.gov/hipaa/for-professionals/faq/474/can-an-individual-revoke-his-or-her-authorization/index.html