Elements of a HIPAA Authorization: 6 Core Requirements and 3 Mandatory Statements (2025 Checklist + Examples)

A valid HIPAA authorization hinges on six core elements and three mandatory statements. This 2025 checklist walks you through each requirement in plain language, shows where Disclosure Consent belongs, and gives copy-ready example clauses you can adapt to your forms.

Use the sections below to verify that your authorization covers Protected Health Information precisely, identifies the right parties, states a clear purpose, sets an Authorization Expiration, captures a proper signature, and includes the three required notices on Revocation of Authorization, Treatment and Payment Conditions, Enrollment Eligibility, and Re-disclosure Risk.

Description of Protected Health Information

Your authorization must describe the specific Protected Health Information (PHI) to be used or disclosed. Be concrete and limit the scope to what is reasonably needed for the stated purpose.

What this requires

• Identify the type of records (for example, “clinic notes, lab results, imaging, billing statements”).
• Add a date range or event anchor (“records from 01/01/2023 through 12/31/2024”).
• List inclusions/exclusions for sensitive categories as applicable (for example, “exclude psychotherapy notes”).
• Use plain, specific descriptions rather than “any and all,” unless the breadth is truly necessary.
• Remember: the “minimum necessary” rule does not apply to authorizations, but specificity reduces risk and confusion.

2025 Checklist

• State record types, date span, and any limits (diagnoses, providers, encounter types).
• Call out sensitive information if included or excluded.
• Avoid vague phrases that could be misread by recipients.

Examples

• “PHI limited to: emergency department notes, discharge summaries, and CT scans dated 03/15/2024–05/30/2024; exclude psychotherapy notes.”
• “Billing statements and EOBs for claim #A12345, services rendered 02/01/2025–03/31/2025.”

Authorized Disclosing and Receiving Parties

Your form must identify who is authorized to disclose the PHI and who is authorized to receive it. You may name specific persons or a class of persons if that class is sufficiently specific.

What this requires

• Name the disclosing entity or class (for example, “XYZ Medical Center and its affiliated clinics”).
• Name the receiving party or class (for example, “ABC Law Firm and its agents involved in case 22-CV-1001”).
• Include contact details if helpful to route requests correctly.

2025 Checklist

• Use legal names for organizations; add location if entities share similar names.
• If a class is used, make it clear (for example, “my treating cardiologists at…”).
• Confirm the recipient is the right person to fulfill the purpose stated.

Examples

• “Disclosing party: Riverbend Hospital, 100 Main Street, Springfield.”
• “Recipient: BrightLife Insurance Underwriting Department.”

Purpose of Disclosure

The authorization must state the purpose of the disclosure, or indicate that the disclosure is “at the request of the individual.” Keep the purpose aligned with the PHI scope you described.

Purpose options

• At the request of the individual (simple, broad, and acceptable).
• Specific purposes such as legal review, continuity of care, insurance underwriting, employment accommodation, or personal records.

2025 Checklist

• Use one concise statement; avoid extraneous detail.
• Ensure the scope of PHI is proportionate to the stated purpose.
• If marketing or research is involved, verify any additional notices your organization requires.

Examples

• “Purpose: at my request to obtain a personal copy.”
• “Purpose: evaluation of claim #B67890 by ABC Law Firm.”

Expiration Date and Event Specification

Every authorization needs an Authorization Expiration—a specific date or a clear event tied to you or the purpose. When the expiration occurs, the authorization can no longer be used.

2025 Checklist

• Choose a concrete date (for example, “12/31/2025”) or a precise event (“upon conclusion of workers’ compensation claim #WC-00987”).
• For ongoing activities, use event-based language that is objectively determinable.
• Re-authorization is required if the expiration date or event has passed.

Examples

• “This authorization expires on 09/30/2025.”
• “This authorization expires at the conclusion of appeal #2025-1142.”

Individual Signature and Date

The authorization must include your signature and the date signed. A personal representative may sign if authorized under applicable law; their authority must be described.

If a personal representative signs

• State the relationship and authority (for example, “parent of minor,” “health care proxy,” “court-appointed guardian”).
• Attach supporting documents if the disclosing entity requests them.

2025 Checklist

• Include printed name, signature, and the date of signature.
• If electronic signature is used, ensure it meets the organization’s authentication requirements.
• Provide contact information for follow-up if needed.

Example

“Signature: ______________________ Date: ___/___/2025 Printed Name: ______________________ If signed by personal representative, describe authority: ______________________.”

Revocation Rights Statement

Your form must include a statement that you may revoke the authorization at any time, in writing, except to the extent the disclosing party has already acted in reliance on it. This is the core of the Revocation of Authorization notice.

2025 Checklist

• Tell users how to revoke (mail, portal, fax, or in person) and where to send it.
• State that revocation will not affect disclosures already made in reliance on the authorization.
• Advise that processing time may apply, and disclosures may continue until the revocation is received and logged.

Example

“You may revoke this authorization at any time by submitting a written request to Privacy Office, XYZ Medical Center, 100 Main Street, Springfield, or via patient portal. Your revocation will not affect actions already taken in reliance on this authorization.”

Conditions on Treatment and Benefits

Your authorization must clarify whether signing is required for treatment, payment, or benefits. Generally, treatment or coverage is not conditioned on your signature, but there are limited situations involving Treatment and Payment Conditions or Enrollment Eligibility where a signed authorization may be needed (for example, research-related treatment or certain plan enrollment activities).

2025 Checklist

• State clearly that care, payment, enrollment, or eligibility for benefits is not conditioned on signing, unless an allowed exception applies.
• If an exception applies, describe it briefly and plainly (for example, “authorization required to participate in this research study”).
• Avoid implying that refusing to sign will result in broad denial of unrelated services.

Example

“We will not condition your treatment, payment, plan enrollment, or eligibility for benefits on your signing this authorization, except if the authorization is necessary to provide research-related treatment or to determine plan enrollment or eligibility.”

Re-disclosure Potential Notice

The authorization must warn that PHI disclosed to the recipient may be subject to Re-disclosure Risk and may no longer be protected by HIPAA. Other federal or state laws might still apply, but HIPAA protections typically end once the recipient receives the information, unless the recipient is also a HIPAA-covered entity or business associate.

What to clarify

• State that once disclosed, the PHI could be re-disclosed by the recipient.
• Note that HIPAA may no longer apply to the information in the recipient’s hands.
• Encourage recipients to safeguard the information and limit onward sharing.

Example

“Information disclosed pursuant to this authorization may be re-disclosed by the recipient and may no longer be protected by HIPAA.”

Quick recap for 2025

To build a compliant, user-friendly authorization in 2025, ensure all six core elements are present (PHI description, disclosing and receiving parties, purpose, expiration, and signature) and include the three mandatory statements (revocation rights, conditions on treatment/payment/enrollment eligibility, and re-disclosure notice). Keep language specific, align PHI scope with purpose, and provide clear instructions for revocation.

FAQs.

What are the six core elements of a HIPAA authorization?

The six elements are: (1) description of the Protected Health Information to be used or disclosed; (2) the person(s) or class of persons authorized to make the disclosure; (3) the person(s) or class of persons to whom the disclosure may be made; (4) the purpose of the disclosure or “at the request of the individual”; (5) an Authorization Expiration by date or event; and (6) the individual’s signature and date (or personal representative’s signature and description of authority).

What mandatory statements must be included in a HIPAA authorization?

Three statements are mandatory: (1) you may revoke the authorization in writing at any time, except to the extent already relied upon; (2) whether signing is a condition of treatment, payment, plan enrollment, or eligibility for benefits, including any applicable exceptions; and (3) a notice that disclosed information may be subject to re-disclosure by the recipient and may no longer be protected by HIPAA.

Can a HIPAA authorization be revoked after signing?

Yes. You can revoke a HIPAA authorization at any time by submitting a written revocation to the address or channel listed on the form. Revocation stops future uses and disclosures under that authorization but does not affect disclosures already made in reliance on it.