HIPAA Authorization Requirements: 45 CFR 164.508 Required Elements Checklist (With Examples)

This guide distills HIPAA authorization requirements under 45 CFR 164.508 into a practical checklist with examples you can reuse. It explains what a covered entity must include, how to satisfy the plain language requirement, where a personal representative may sign, and how revocation and redisclosure work in practice.

Use it to validate forms quickly, reduce risk, and ensure each authorization contains every core element, required statement, and clearly defined expiration event or date.

Core Elements of a Valid HIPAA Authorization

Checklist

• Description of PHI: Identify the information to be used or disclosed in a specific and meaningful way (for example, “CBC and lipid panel from March–May 2025”).
• Who may use/disclose: Name or specifically identify the person(s) or organization(s) authorized to use or disclose the PHI (for example, “Dr. Lee and XYZ Clinic”).
• Who may receive: Name or specifically identify the person(s) or organization(s) permitted to receive the PHI (for example, “ABC Life Insurance underwriting department”).
• Purpose: State each purpose, or write “At the request of the individual” when applicable.
• Expiration date or event: Provide a clear expiration date or an expiration event that relates to the individual or the purpose (for example, “Upon claim closure,” “End of research study”).
• Signature and date: The individual must sign and date. If a personal representative signs, include a description of their authority (for example, “Parent of minor” or “Health care power of attorney”).

Examples

• Scope example: “This authorization permits XYZ Clinic to disclose my MRI report dated August 12, 2025, and associated radiology impressions to ABC Orthopedics for surgical consultation.”
• Recipient example: “Disclose to: ABC Life Insurance, Underwriting Unit, for policy application.”
• Purpose example: “Purpose: Evaluate eligibility for long-term care coverage at my request.”
• Expiration event example: “Expires when my workers’ compensation claim number WC-112233 is resolved.”
• Personal representative example: “Signed by Jane Smith, personal representative, as court-appointed guardian.”

Required Statements in a HIPAA Authorization

The three statements you must include

1. Right to revoke: Explain the individual’s right to submit a written revocation and how to do it (address, email, or portal) and note that actions taken in reliance on the authorization before revocation are permitted.
2. Treatment condition statement: Say whether the covered entity will condition treatment, payment, enrollment, or eligibility for benefits on signing the authorization, and describe the consequences of refusing to sign if any.
3. Redisclosure notice: Warn that information disclosed to the recipient may be subject to redisclosure by that recipient and may no longer be protected by HIPAA.

Sample language you can adapt

• Written Revocation: “I understand I may revoke this authorization at any time by sending a written revocation to the Privacy Officer at 123 Health St., City, ST 00000, or via secure portal. Revocation will not affect uses/disclosures already made in reliance on this authorization.”
• Treatment Condition: “Treatment, payment, enrollment, or eligibility for benefits is not conditioned on signing this authorization, except for research-related treatment where authorization is required.”
• Redisclosure Notice: “Information disclosed under this authorization may be redisclosed by the recipient and may no longer be protected by HIPAA.”

Additional Requirements for HIPAA Authorization

Plain Language Requirement

Write the authorization in plain, everyday language. Use short sentences, define uncommon terms, and avoid dense legal jargon. Test readability and remove ambiguities so individuals can easily understand what they are signing.

Copies and recordkeeping

• Give the individual a copy of the signed authorization.
• Retain the authorization per your record retention policy and applicable rules.

Psychotherapy notes

Authorizations for psychotherapy notes must be separate from other authorizations and cannot be combined with other permissions.

Marketing and sale of PHI

• Marketing: If the authorization permits marketing and involves financial remuneration to the covered entity, the form must state that fact.
• Sale of PHI: Any authorization permitting a sale of PHI must expressly state that disclosures will result in remuneration.

Compound authorizations

Combining authorizations is limited. Research-related authorizations may be combined in certain circumstances, but keep the scope and choices distinct and understandable.

Personal representatives and minors

When a personal representative signs, describe the representative’s authority (for example, parent of a minor, legal guardian, or agent under a health care power of attorney). Be mindful of state rules that may give minors control over certain sensitive services.

Minimum necessary and scope

The minimum necessary standard does not apply to disclosures made pursuant to a valid authorization, but you should still describe the PHI precisely to limit risk and avoid overbroad disclosures.

Drafting a HIPAA Authorization Form

Step-by-step

1. Identify parties: Name the covered entity (and any business associate if appropriate) authorized to disclose and the recipient who may receive the PHI.
2. Define purpose: State each purpose clearly or “At the request of the individual.”
3. Specify PHI: List documents, dates of service, or data types. Avoid vague phrases like “all records” unless that scope is truly necessary and understood.
4. Select an expiration event: Choose a date or event tied to the purpose (for example, “End of research study,” “Completion of appeal,” or a specific date).
5. Add required statements: Insert the written revocation process, the treatment condition statement, and the redisclosure notice.
6. Signature block: Include signature and date lines for the individual, and for a personal representative include a description of authority.
7. Plain language and delivery: Use clear, readable text and provide a copy of the signed authorization to the individual.

Mini template (illustrative)

Purpose: At the request of the individual. PHI: Office notes and lab results from 01/01/2025–06/30/2025. Disclose by: XYZ Family Practice (covered entity). Disclose to: ABC Life Insurance Underwriting.

Expiration Event: Upon issuance of policy number _______ or denial of application, whichever occurs first.

Required Statements: I may submit a written revocation to the Privacy Officer at _______. Treatment, payment, enrollment, or eligibility is not conditioned on signing (except for research-related treatment). Information disclosed may be subject to redisclosure by the recipient and may no longer be protected by HIPAA.

Signature: ________ Date: ________ If signed by personal representative, describe authority: ________

Common Errors in HIPAA Authorizations

• Missing or vague PHI description (fix: specify document types, service dates, or data elements).
• No expiration date or expiration event (fix: tie it to a concrete date or purpose-driven event).
• Omitting the required statements (fix: embed revocation, treatment condition, and redisclosure notice every time).
• Leaving out the recipient or the disclosing covered entity (fix: name or specifically identify each party).
• Improper signatures (fix: require date, and for a personal representative, capture the description of authority).
• Combining psychotherapy notes with other authorizations (fix: use a separate, dedicated authorization).
• Using legalese that violates the plain language requirement (fix: simplify and test readability).

Revocation and Expiration of Authorizations

Revocation

An individual may submit a written revocation at any time using the method you specify (mail, secure portal, or email as permitted). Revocation stops future uses and disclosures, but actions already taken in reliance on the authorization remain permitted.

Expiration

When the stated expiration date or expiration event occurs, the authorization is no longer valid and cannot be used. For research, using “end of the research study” (or, when appropriate, “none” for ongoing repositories) is acceptable when clearly explained.

Operational tips

• Track expirations and revocations in your disclosure log and notify affected staff promptly.
• If PHI has been redisclosed to a non-covered recipient, it may not be protected by HIPAA; consider contractual safeguards when feasible.
• Retain the signed authorization and any revocation according to your retention policy.

Conclusion

A compliant authorization ties precise PHI, parties, purpose, and an expiration event to three plain-language statements about written revocation, treatment condition, and redisclosure. Build these elements into a clear template, capture the right signature, and keep copies to maintain compliance and trust.

FAQs

What are the essential elements of a HIPAA authorization?

Six core elements: a specific description of the PHI; who may use/disclose it; who may receive it; purpose (or “at the request of the individual”); an expiration date or expiration event; and the individual’s signature and date (with a description of authority if signed by a personal representative). Add the three required statements on written revocation, treatment condition, and redisclosure.

How must a HIPAA authorization be written?

In plain language that the average reader can understand. It must include all required elements and statements, identify the covered entity and recipient, provide an expiration date or event, and be signed and dated. Give the individual a copy after signing.

Can a patient revoke a HIPAA authorization?

Yes. A patient may submit a written revocation at any time using the method named in the form. The revocation stops future uses or disclosures but does not undo those already made in reliance on the authorization.

What happens if information is redisclosed by the recipient?

Once PHI is disclosed to a recipient that is not a HIPAA covered entity or business associate, it may be redisclosed and may no longer be protected by HIPAA. The required redisclosure notice alerts the individual to this possibility; contractual or state-law protections may still apply.