Declining HIPAA Authorization: Your Rights and What Happens If You Say No

Declining HIPAA authorization is your choice. A HIPAA authorization is a written permission that lets a covered entity use or disclose your protected health information (PHI) for purposes not otherwise allowed by the HIPAA Privacy Rule. Understanding when you can say no—and what that means for your care—helps you protect your privacy without disrupting necessary treatment, payment, or healthcare operations.

This article offers general information to support informed decisions and HIPAA compliance. It is not legal advice.

Right to Decline HIPAA Authorization

You have the right to decline any authorization that is not required by law. HIPAA was designed so that most routine uses and disclosures needed for your care happen without an extra signature. Authorizations are typically requested for optional or non-routine uses, such as marketing, research participation, or sharing PHI with third parties not involved in your treatment or payment.

Covered entities—healthcare providers, health plans, and healthcare clearinghouses—must tell you when an authorization is voluntary. If you decline, they generally must still provide treatment and process claims as usual. They cannot require your signature for uses and disclosures that HIPAA already permits without authorization.

Do not confuse an authorization with other paperwork. For example, acknowledging receipt of a Notice of Privacy Practices is not an authorization, and refusing to sign that acknowledgment should not delay care. Similarly, you can request restrictions on use and disclosure of PHI; providers must accept a specific restriction when you pay in full out of pocket and ask that information not be sent to your health plan.

Impact on Healthcare Services

Most core services continue even when you decline. Providers may use and disclose PHI for treatment, payment, and healthcare operations without an authorization. Your clinicians can coordinate care, bill your insurer, run quality improvement programs, and exchange information with business associates that support these functions.

What may change are conveniences or optional activities that rely on your permission. Examples include sharing PHI with family members or caregivers at your request, sending information to an employer or school, releasing records to consumer apps that are not acting on your behalf, receiving fundraising or marketing communications, or participating in certain research studies that require authorization.

Declining can also create practical delays. Third parties that are not covered entities often require a signed authorization to receive PHI. Without it, a provider’s release-of-information team may be unable to fulfill non-routine requests, and you might need to obtain records yourself through your right of access.

Exceptions to Authorization Requirement

HIPAA permits or requires use and disclosure of PHI without an authorization in specific situations. These include:

• Treatment, payment, and healthcare operations: information sharing needed to provide care, process claims, conduct quality assurance, and other operational activities.
• Disclosures required by law: compliance with statutes, court orders, or mandatory reporting obligations.
• Public health activities: reporting certain diseases, adverse events, or exposures; supporting public health surveillance and interventions.
• Health oversight: audits, inspections, investigations, or licensing activities by oversight agencies.
• Judicial and administrative proceedings: disclosures in response to valid court or administrative orders and certain subpoenas.
• Law enforcement purposes: limited disclosures such as locating a suspect, reporting certain injuries, or complying with legal process.
• To avert a serious threat: preventing or lessening a serious and imminent threat to health or safety.
• Workers’ compensation and similar programs: disclosures authorized by workers’ compensation laws.
• Decedents, organ and tissue donation, and coroners/medical examiners: specific postmortem and donation-related disclosures.
• Research with a waiver: IRB or Privacy Board–approved waivers where privacy risks are minimized and authorization is impracticable.
• De-identified data and limited data sets: information that does not identify you, or limited data sets shared under a data use agreement.

Some categories of PHI are subject to stricter rules under federal or state law (for example, psychotherapy notes and certain substance use disorder records). In those cases, additional consent may be required beyond HIPAA.

Provider Responses to Declining Authorization

When you decline an authorization, providers should explain what will and will not proceed. They can continue HIPAA-permitted uses and disclosures, but they cannot use your PHI for the declined purpose unless another HIPAA basis applies. They should document your decision and offer alternatives, such as providing you a copy of records to share yourself.

Providers generally may not condition core treatment on your signing an authorization. Limited exceptions apply, such as certain research-related treatment or situations involving a health plan’s underwriting or enrollment functions allowed by law. Outside these exceptions, refusing to sign should not result in denial of medically necessary care.

If you want tighter control, ask about restrictions and confidential communications. For example, you can request that bills be sent to a different address, or that specific visits paid in full out of pocket not be disclosed to your health plan.

Revocation of Authorization

You may revoke a HIPAA authorization at any time, provided you do so in writing and deliver it to the covered entity (often to the Privacy Officer or Records department). Keep a copy for your records and note the date you sent it.

Revocation stops further use and disclosure under that authorization, except to the extent a covered entity has already acted in reliance on it. For example, if records were already released, revocation cannot pull them back. If the authorization was a condition of obtaining insurance coverage, the insurer may continue to use PHI as permitted to contest a claim or the policy.

After revocation, routine HIPAA-permitted activities (like treatment, payment, and operations) continue. If a third party still needs your PHI for a non-routine purpose, a new authorization will be required.

Authorization Expiration

Every HIPAA authorization must include an expiration date or an expiration event related to you or the purpose (for example, “end of treatment,” “end of the research study,” or a specific date). When the authorization expiration occurs, covered entities may not rely on it for new uses or disclosures.

Some research-related authorizations—such as those for maintaining a research database—may specify “no expiration” when permitted by HIPAA. Otherwise, you can expect an authorization to last only until the stated date/event, after which a new authorization is needed for additional use or disclosure.

Expiration does not require a provider to delete PHI already used or disclosed. Your information remains part of the designated record set, subject to HIPAA’s retention and HIPAA compliance requirements.

Consequences of Declining Authorization

Declining can increase privacy by limiting non-essential use and disclosure, but it can also reduce convenience. You may need to act as the conduit for information you want shared, miss marketing or fundraising communications, or be unable to join a study that requires authorization.

Your access rights remain intact. You can still obtain copies of your PHI, request corrections, set certain restrictions, and choose confidential communication channels. Core care and claims processing typically continue because those activities do not require authorization.

Consider your goals: if the benefit of sharing PHI with a particular third party outweighs privacy concerns, a narrowly tailored authorization—limited in scope, recipients, and duration—can balance openness and control. If not, declining is a valid choice.

Summary

In most situations, declining HIPAA authorization will not interrupt treatment, payment, or healthcare operations. It mainly limits optional uses and disclosures. You can revoke an authorization later, and authorizations expire by date or event. Understanding these guardrails lets you decide how your protected health information is used and disclosed.

FAQs

What rights do individuals have to decline HIPAA authorization?

You may refuse any authorization that is not legally required. Covered entities must clarify when an authorization is voluntary, and declining generally should not affect core care, billing, or essential healthcare operations. You also retain rights to access, request restrictions, and choose confidential communications.

How does declining HIPAA authorization affect healthcare services?

Care, claims, and operational activities continue because HIPAA permits those without authorization. Declining mainly affects optional sharing—such as marketing, certain fundraising, research that requires authorization, or releasing PHI to third parties not involved in your care—potentially causing delays or requiring you to share records yourself.

Can healthcare providers refuse treatment if authorization is declined?

Generally no, providers may not condition core treatment on signing an authorization. Limited exceptions exist, such as certain research-related treatment or specific plan enrollment or underwriting functions permitted by law. Outside these narrow cases, refusal to sign should not result in denial of medically necessary care.

What happens if I revoke my HIPAA authorization?

Submit a written revocation to the covered entity. They must stop using or disclosing your PHI under that authorization going forward, except where they have already relied on it or where an insurer may use PHI to contest a claim or policy if the authorization was a condition of coverage. Routine HIPAA-permitted activities continue without interruption.