HIPAA authorization requirements are the HIPAA Privacy Rule conditions and required elements that must be met before a HIPAA Covered Entity or Business Associate uses or discloses protected health information for purposes that are not otherwise permitted or required, with written authorization that is specific, time limited, and signed by the individual or the individual’s personal representative.
Authorization is not required for many routine uses and disclosures permitted by the HIPAA Privacy Rule, including uses and disclosures for treatment, payment, and health care operations, and for certain public interest and benefit activities when the regulatory conditions are met. When a use or disclosure falls outside those permissions, a valid authorization is a prerequisite unless another HIPAA permission applies. Common situations that require authorization include many marketing communications, disclosures to third parties that are not part of treatment, payment, or health care operations, disclosures of psychotherapy notes except for limited permitted uses, and most uses and disclosures of protected health information for sale.
A valid authorization must be written in plain language and must be limited to the stated purpose. It must identify the information to be used or disclosed in a specific and meaningful way, identify who is authorized to make the use or disclosure, identify the recipient, and describe the purpose. It must include an expiration date or an expiration event. It must include the individual’s signature and date, or the signature of a personal representative with a description of the representative’s authority when applicable. It must include required statements that inform the individual of the right to revoke, the ability or inability to condition treatment or benefits on signing when applicable, and the potential for redisclosure by the recipient.
An authorization is invalid when it is missing required elements, contains materially false or misleading information, is not signed as required, has an expired timeframe, or is combined with other documents in a way that does not meet HIPAA conditions. A covered entity must provide a copy of the signed authorization to the individual when the authorization is obtained by the covered entity. Revocation must be honored for future uses and disclosures once the revocation is received, except to the extent the covered entity has already relied on the authorization or where other limited exceptions apply.
Special limits apply to psychotherapy notes. With limited exceptions, use or disclosure of psychotherapy notes requires authorization that specifically addresses those notes and cannot be satisfied by a general consent for treatment, payment, or health care operations. Additional federal and state rules may also apply to substance use disorder records and certain categories of sensitive information, and organizations should account for those requirements within their authorization workflows.
Workforce processes should control how authorizations are requested, verified, logged, and stored. Operational controls include validating identity and authority of personal representatives, verifying that the authorization matches the requested disclosure, limiting disclosures to the scope authorized, and retaining documentation consistent with HIPAA documentation retention requirements. When a Business Associate performs functions that involve obtaining or acting on authorizations, contract terms and procedures should allocate responsibilities for form content, revocation handling, record retention, and audit support.
The Applicable Regulatory Text for HIPAA Authorization Requirements
45 CFR 164.508(a)(1) is relevant because it establishes the baseline rule that protected health information cannot be used or disclosed without a valid authorization unless another HIPAA Privacy Rule permission applies. The regulation states, “a covered entity may not use or disclose protected health information without an authorization that is valid under this section.” This text is relevant because HIPAA authorization requirements start with identifying when a use or disclosure is not otherwise permitted or required and therefore needs a valid authorization.
45 CFR 164.508(c)(1) is relevant because it defines the core content a written authorization must contain to be valid. The regulation states, “A valid authorization under this section must contain at least the following elements.” It also states, “A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.” This text is relevant because policy and form design for authorizations must include the required identifiers, scope, purpose, recipient, expiration, and signature elements.
45 CFR 164.508(c)(2) and 45 CFR 164.508(c)(3) are relevant because they require specific notice statements and plain language so the individual understands rights and consequences associated with authorizing a use or disclosure. The regulation states, “the authorization must contain statements adequate to place the individual on notice of” the right to revoke in writing, conditioning rules, and redisclosure risk. It also states, “The authorization must be written in plain language.” This text is relevant because authorizations must include required notices that support informed permission and must be readable to be valid.
45 CFR 164.508(c)(4) and 45 CFR 164.508(b)(2) are relevant because they address operational validity controls, including providing a copy to the individual and conditions that make an authorization invalid. The regulation states, “the covered entity must provide the individual with a copy of the signed authorization.” It also states, “An authorization is not valid, if the document submitted has any of the following defects.” This text is relevant because authorization workflows must include copy delivery and verification steps that prevent reliance on incomplete, expired, revoked, or inaccurate authorizations.