45 CFR 164.508 Explained: When HIPAA Requires Patient Authorization

General Rule for Authorization

Under 45 CFR 164.508, covered entities must obtain a patient’s written authorization before using or disclosing Protected Health Information (PHI) for purposes not otherwise permitted by the HIPAA Privacy Rule. In practice, you typically do not need authorization for treatment, payment, and health care operations, but you do need it for most other uses—especially those unrelated to direct care.

For HIPAA compliance, treat authorization as the default requirement unless a specific Privacy Rule permission applies. Common scenarios that require a valid authorization include sharing PHI with a third party for non-care purposes, certain research activities without a waiver, and the categories highlighted below: psychotherapy notes, marketing, and the sale of PHI.

Psychotherapy Notes

Psychotherapy notes receive heightened protection. These are the notes a mental health professional records to analyze the contents of counseling sessions and keeps separate from the medical record. They do not include medication details, session start/stop times, modalities, test results, or summaries of diagnosis and treatment plan.

As a rule, you must obtain the individual’s authorization before using or disclosing psychotherapy notes. Limited exceptions (often called the Psychotherapy Notes Exception) allow use or disclosure without authorization when the note originator uses them for treatment, when a covered entity uses them in its own training programs, or when the entity needs them to defend itself in a legal action initiated by the patient. Outside these narrow circumstances, secure a valid authorization.

Marketing and Sale of PHI

Marketing

“Marketing” means a communication that encourages someone to purchase or use a product or service. If you engage in marketing that uses PHI, HIPAA generally requires patient authorization. Two notable carve‑outs do not require authorization: face‑to‑face communications and promotional gifts of nominal value. Refill reminders and medication adherence messages are also allowed without authorization when any financial remuneration is limited to the reasonable cost of making the communication.

When authorization is required for marketing, your document must satisfy marketing disclosure requirements—namely, it must clearly state if you receive financial remuneration from a third party for the communication. This ensures transparency and supports HIPAA compliance.

Sale of PHI

HIPAA prohibits the sale of PHI without explicit authorization. A “sale” broadly covers disclosures in exchange for direct or indirect remuneration. If you plan any disclosure that constitutes a sale of PHI, you must obtain an authorization that specifically states the disclosure will result in remuneration to the covered entity.

Core Elements of Authorization

A valid authorization must include these core elements to be effective. If any are missing, the authorization is defective, and you should not use or disclose PHI based on it.

• Information description: A specific, meaningful description of the PHI to be used or disclosed.
• Who may disclose: The name or specific identification of the person(s) or covered entity authorized to disclose the information.
• Who may receive: The name or specific identification of the person(s) to whom the covered entity may disclose the information.
• Purpose: Each purpose for the requested use or disclosure (or “at the request of the individual”).
• Expiration: An expiration date or an expiration event related to the individual or the purpose (for example, “end of research study”).
• Signature: The individual’s signature and date; if a personal representative signs, include a description of their authority to act for the individual.

Required Statements in Authorization

Beyond the core elements, HIPAA requires plain‑language statements that place the individual on notice of key rights and risks. Include the following:

• Right to revoke: A statement that the individual may revoke the authorization in writing at any time, along with how to submit the revocation, except to the extent you have already relied on it.
• Conditioning: A statement explaining whether you will condition treatment, payment, enrollment, or eligibility for benefits on signing, and a description of any consequences of refusing to sign where conditioning is permitted.
• Redisclosure risk: A statement that information disclosed under this authorization may be subject to redisclosure by the recipient and may no longer be protected by HIPAA.

For marketing communications that require authorization, disclose if you receive financial remuneration from a third party. For any disclosure that constitutes a sale of PHI, the authorization must explicitly state that remuneration will result from the disclosure.

Revocation of Authorization

Authorization revocation is always an option for the patient. You must honor a written revocation, which stops future uses and disclosures under that authorization. However, revocation does not undo actions already taken in reliance on the authorization, and special rules apply if the authorization was obtained as a condition of an insurance policy—insurers may retain rights to contest a claim or the policy.

To support HIPAA compliance, tell patients exactly how to revoke in writing (for example, where to send the request) and document the date you receive the revocation. Once revoked, treat the authorization as invalid for any new use or disclosure.

Conditioning of Treatment or Payment

As a baseline, you may not condition treatment, payment, enrollment, or eligibility for benefits on obtaining an authorization. This protects patients from feeling coerced into sharing PHI beyond what HIPAA otherwise permits.

HIPAA allows limited exceptions. You may condition: (1) research‑related treatment on an authorization for research uses and disclosures of PHI; (2) a health plan’s enrollment or eligibility determinations on a pre‑enrollment authorization used for underwriting or risk‑rating; and (3) services provided solely to create PHI for disclosure to a third party (for example, a pre‑employment exam) on an authorization for that disclosure.

Conclusion

In short, 45 CFR 164.508 requires a valid authorization whenever a use or disclosure of PHI falls outside HIPAA’s routine permissions. Pay special attention to psychotherapy notes, marketing, and any sale of PHI; include all core elements and required statements; support easy authorization revocation; and avoid conditioning care except where HIPAA expressly allows. Following these steps keeps covered entities aligned with HIPAA compliance and protects patient trust.

FAQs.

When is patient authorization required under 45 CFR 164.508?

You need authorization for any use or disclosure of PHI that is not otherwise permitted or required by the Privacy Rule. Common triggers include most non‑care communications, marketing that does not meet an exception, disclosures constituting a sale of PHI, certain research uses without a waiver, and virtually all uses or disclosures of psychotherapy notes.

What information must be included in a valid authorization?

A valid authorization must specify the PHI to be used or disclosed, who may disclose it, who may receive it, the purpose, an expiration date or event, and the individual’s signature and date (plus representative authority, if applicable). It must also include statements about revocation rights, conditioning (or lack thereof), and the risk of redisclosure, and when applicable, whether remuneration is involved.

Can a patient revoke their authorization once given?

Yes. A patient may revoke an authorization in writing at any time, except to the extent you have already acted in reliance on it or, for insurance‑related authorizations, where the insurer retains rights to contest a claim or policy. After revocation, you must not make new uses or disclosures under that authorization.

Are there exceptions to authorization requirements for psychotherapy notes?

Yes, but they are narrow. Without authorization, psychotherapy notes may be used by the note originator for treatment, used within a covered entity’s training programs, or used or disclosed to defend the entity in a legal action initiated by the patient. In nearly all other situations, you must obtain the patient’s authorization before using or disclosing psychotherapy notes.