HIPAA Authorization is a written permission signed by an individual or the individual’s personal representative that allows a HIPAA Covered Entity or Business Associate to use or disclose the individual’s protected health information for a stated purpose that is not otherwise permitted or required by the HIPAA Privacy Rule, and it must meet the content and form requirements in 45 CFR 164.508 to be valid.
A HIPAA Covered Entity may use or disclose protected health information for treatment, payment, and health care operations without obtaining an authorization when the HIPAA Privacy Rule permits those activities. Uses and disclosures outside those permissions require a valid authorization unless another HIPAA Privacy Rule permission applies. Common authorization dependent activities include most marketing uses and disclosures, most uses and disclosures of psychotherapy notes, disclosures for research when a waiver or other HIPAA Privacy Rule pathway does not apply, and disclosures that involve the sale of protected health information.
A valid authorization identifies the information to be used or disclosed in a specific and meaningful way, identifies who may make the use or disclosure, identifies who may receive the information, and states the purpose of the use or disclosure. The authorization includes an expiration date or an expiration event. The individual signs and dates the authorization, and a personal representative signing for the individual describes the authority to act for the individual.
A valid authorization also contains required statements that place the individual on notice of defined rights and conditions. The authorization describes the individual’s right to revoke in writing and explains any exceptions and how to revoke. The authorization states whether treatment, payment, enrollment, or eligibility for benefits is conditioned on signing, and it identifies any consequences of refusing to sign when conditioning is permitted. The authorization includes notice that information disclosed under the authorization may be subject to redisclosure by the recipient and may no longer be protected by the HIPAA Privacy Rule.
An authorization is not valid if it is not written in plain language, is missing required elements, contains materially false information, or is combined with other documents in a way that violates the HIPAA Privacy Rule requirements for compound authorizations. A covered entity must provide a copy of the signed authorization to the individual when the covered entity seeks the authorization. A covered entity must stop using or disclosing protected health information under an authorization after a valid revocation, except to the extent the covered entity has already acted in reliance on the authorization and except for limited situations addressed by the HIPAA Privacy Rule.
Core Regulatory Provisions About HIPAA Authorization
45 CFR 164.508 is directly relevant because it establishes when an authorization is required and specifies the validity requirements that define HIPAA Authorization content and handling. The regulation states “Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section” and it further states “A valid authorization must contain core elements” and “the authorization must contain statements adequate to place the individual on notice” of “The individual’s right to revoke the authorization in writing” and “The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient can no longer be protected by this subpart.” This text is relevant because it is the operative HIPAA Privacy Rule standard for authorization as a permission mechanism and it defines the required elements, required statements, and conditions that determine whether an authorization is valid.
45 CFR 164.506(b)(2) is directly relevant because it distinguishes consent from authorization and confirms that authorization controls when the HIPAA Privacy Rule requires it. The regulation states “Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.” This text is relevant because it prevents substitution of a general consent document for a HIPAA Authorization and it supports compliance controls that route certain uses and disclosures to the authorization process when §164.508 applies.