Authorizations are a routine part of healthcare, but getting them wrong — disclosing without one, or relying on an invalid form — is a common source of violations. Here is what you need to know.
What a HIPAA authorization is
A HIPAA authorization is a signed permission from an individual allowing a covered entity to use or disclose their PHI for a purpose that is not otherwise permitted by the Privacy Rule. Where the rule already allows a use — such as treatment, payment, or operations — no authorization is needed. Where it does not, a valid authorization is generally required.
The form is the patient’s explicit consent, documenting exactly what may be disclosed, to whom, and for what purpose. It is the mechanism that gives individuals control over uses of their data beyond ordinary care.
When an authorization is required
Authorization is required for uses and disclosures that fall outside the Privacy Rule’s permitted categories. Common examples include disclosing records to an employer, a life insurer, or an attorney; using PHI for marketing funded by a third party; most uses of psychotherapy notes; and the sale of PHI. In each case, the patient must affirmatively permit the disclosure.
Knowing where the line falls — permitted use versus authorization required — is the key judgment staff must make before releasing information.
When an authorization is NOT required
Many disclosures do not require an authorization. Sharing PHI for treatment among providers, billing an insurer, conducting healthcare operations, disclosing to the patient themselves, and certain public-interest disclosures such as required public-health reporting are all permitted without one. Requiring an authorization in these situations can actually impede care, so understanding the exceptions is as important as understanding the requirement.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
Authorization vs consent
People often confuse authorization with consent, but they are distinct. Consent, where used, is a more general permission for routine uses like treatment and payment, and the Privacy Rule does not require it for those purposes. Authorization is a specific, formal permission for uses outside the permitted categories. Authorization is the legally significant document when disclosing PHI for non-routine purposes.
Treating the two interchangeably can lead organizations to disclose information based on a general consent when a specific authorization was actually required.
What a valid authorization must contain
The Privacy Rule specifies the required elements of a valid authorization. It must include a specific description of the information to be disclosed; the name of the person or class authorized to disclose it; the name of the recipient; a description of the purpose; an expiration date or event; and the individual’s signature and date.
It must also inform the individual of their right to revoke the authorization, the inability to condition treatment on signing in most cases, and the potential for redisclosure by the recipient. Missing any required element can render the authorization invalid.
The right to revoke
Individuals have the right to revoke an authorization at any time, in writing, except to the extent the covered entity has already acted in reliance on it. A valid authorization must inform the individual of this right and how to exercise it. Organizations need a clear process for receiving and honoring revocations promptly, so that disclosures stop once permission is withdrawn.
Expiration of authorizations
An authorization is not open-ended; it must include an expiration date or event. Once it expires, the permission lapses and further disclosure requires a new authorization. Tracking expiration is important, because relying on a lapsed authorization to disclose PHI is a violation. For research, the expiration can be tied to the end of a study rather than a fixed date.
Conditioning treatment on authorization
In most cases, a covered entity may not condition treatment, payment, enrollment, or eligibility on whether an individual signs an authorization. There are narrow exceptions, such as research-related treatment or disclosures needed to determine eligibility. The general rule protects patients from being pressured into authorizing disclosures they do not want as a condition of receiving care. Handling authorizations correctly is a visible, everyday part of HIPAA compliance.
Psychotherapy notes
Psychotherapy notes receive special protection. With limited exceptions, their use or disclosure requires a separate, specific authorization — even for many purposes that would not require one for other PHI. Organizations that handle behavioral-health information must treat these notes with particular care, recognizing that the ordinary permitted uses do not automatically extend to them.
Electronic authorizations
Authorizations can be obtained electronically, provided they include all required elements and a valid electronic signature. As healthcare digitizes, electronic authorization through portals and e-signature platforms has become common. The same content requirements apply, and organizations must ensure the electronic process captures a genuine, documented permission that can be produced later if needed.
Common authorization mistakes
Frequent errors include disclosing PHI without an authorization when one was required, accepting incomplete or expired forms, missing required elements, failing to honor revocations, and conditioning treatment on signing where prohibited. Another common mistake is over-disclosing — releasing more than the authorization actually permits. Each of these can turn a routine release into a violation.
Clear procedures, staff training, and a checklist of required elements are the most effective defenses against these errors.
Building a reliable release process
A dependable release process starts with a compliant authorization form and a clear procedure for verifying it before any disclosure. Staff should confirm the form is complete, unexpired, and covers exactly what is being released, and should disclose only what the authorization permits. Logging authorizations and disclosures provides an audit trail and supports accountability.
Why authorizations matter
Authorizations are where patient control over health information becomes concrete. They ensure that disclosures beyond ordinary care happen only with the patient’s informed permission, protecting both the individual’s privacy and the organization from liability. Handling them correctly — knowing when they are required, ensuring they are valid, and honoring their limits and revocation — is a visible, everyday demonstration of respect for patient privacy.
Verifying identity before release
Before disclosing PHI under an authorization, organizations must reasonably verify the identity of the person requesting or receiving it. Releasing records to the wrong person — even with a valid authorization on file — is a breach. Simple verification steps, applied consistently, prevent some of the most avoidable disclosure errors and protect both the patient and the organization.
This is especially important for telephone and electronic requests, where the requester is not physically present and impersonation is easier.
Authorizations for research
Research is a frequent context for authorizations, and it has some special features. A research authorization may have an expiration tied to the end of the study rather than a fixed date, and it can be combined with other permissions in certain circumstances. Because research uses of PHI fall outside ordinary treatment and operations, a valid authorization — or an applicable waiver — is generally required before PHI is used.
Record-keeping for disclosures
Organizations should keep records of authorizations received and disclosures made under them. This supports the patient’s right to an accounting of certain disclosures and provides an audit trail demonstrating that releases were properly authorized. A reliable log also helps the organization respond quickly and accurately if a patient or regulator later questions a disclosure.
Training staff on releases
Because release decisions happen constantly and often under time pressure, training is essential. Staff need to recognize when an authorization is required, how to validate one, how much information to release, and how to handle revocations and expirations. Practical, scenario-based training — what to do when a lawyer calls, when an employer requests records, when a form looks incomplete — turns the rules into reliable everyday judgment.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.