What is a HIPAA Authorization for Uses and Disclosures of PHI?

Modified on Tue, 13 Feb at 5:59 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

What is a HIPAA Authorization For Uses and Disclosures of PHI?

The HIPAA Privacy Rule requires that, in certain instances, an individual provide written, signed authorization to a covered entity, before the entity may use or disclose that individual's protected health information (PHI). The authorization is sometimes referred to as "Authorization for Uses and Disclosures of PHI" or "Authorization for Release of PHI." The authorization is provided on an "Authorization Form."

When is a HIPAA Authorization NOT Required? 
An authorization is NOT required when a specific provision of the HIPAA Privacy Rule states that the authorization is not required. Authorization is typically not required for uses and disclosures that are the subjects of 45 CFR 164.506 (treatment, payment, and healthcare operations), 45 CFR 164.510, and 45 CFR 164.512.


When is HIPAA Authorization Required?

A signed, valid HIPAA Authorization form must be provided by a patient to their covered entity provider before that covered entity can make certain uses and disclosures of PHI.


Authorization must be provided for:

1. Uses and disclosures of psychotherapy notes.
2. Certain marketing communications.
3. Disclosures of PHI that are a sale of protected health information.
4. Any other use or disclosure, with respect to which the HIPAA regulations specifically require an authorization. 


What Content Must be Contained in an Authorization for the Authorization to be Valid?

The law requires that a HIPAA authorization form contain specific “core elements” to be valid. These elements include:


1. A description of the specific PHI information to be used or disclosed.

2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

3. The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure. 

4. A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. 

6. The signature of the individual, and the date. 


In addition to the core elements, the HIPAA authorization must contain statements adequate to place the individual on notice of all of the following:


1. The individual‘s right to revoke the authorization in writing

2. The exceptions to the right to revoke (an individual may revoke an authorization in writing except when the covered entity has taken action in reliance on the authorization).

3. The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization, except that: 

a. A covered healthcare provider may condition the provision of research-related treatment on provision of an authorization for such research.

b. A health plan may, to make eligibility or enrollment determinations, may condition enrollment in the health plan or eligibility for benefits on provision of an authorization.

4. The potential for information disclosed in the authorization to be subject to HIPAA redisclosure by the recipient and no longer be protected by the Privacy Rule. 


HIPAA regulations also require that the HIPAA authorization must be written in plain language on the HIPAA form.


In addition, whenever a covered entity seeks a HIPAA authorization from an individual for a PHI use or disclosure, the covered entity must provide the individual with a copy of the signed HIPAA authorization form.



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article