HIPAA Authorization Requirements: Essential Elements You Must Include

You need a HIPAA authorization when you use or disclose protected health information (PHI) for a purpose not otherwise permitted by the Privacy Rule. Use this guide to ensure every authorization you create is complete, compliant, and easy for individuals to understand.

Core Elements of a Valid HIPAA Authorization

Elements you must include

• Description of Information to be Disclosed: Specify exactly what PHI may be used or disclosed (for example, visit dates, lab results, imaging, billing records). Avoid blanket phrases like “all records” unless truly necessary and appropriate.
• Who may disclose: Identify the covered entity or specific provider(s) authorized to make the disclosure.
• Who may receive: Name the recipient(s) or provide “other specific identification” (for example, “XYZ Law Firm and its agents”).
• Purpose: State the purpose of the use or disclosure, or write “at the request of the individual.”
• Expiration Date Requirements: Include a date or event tied to the individual or the purpose (for example, “one year from signature,” “end of claim,” or “end of research”).
• Signature and date: The individual must sign and date. If a representative signs, describe the Personal Representative Authority (for example, legal guardian, health care proxy).

Plain language and scope

Write authorizations in clear, plain language so a reasonable person can understand them. Although the “minimum necessary” standard does not apply to disclosures made pursuant to a valid authorization, you should still narrow the description to only what is needed to fulfill the stated purpose.

Required Statements in a HIPAA Authorization

Notices you must provide

• Written Revocation: Explain that the individual may revoke the authorization in writing at any time, describe how to submit it, and note that revocation does not affect actions already taken in reliance on the authorization.
• Conditioning of Benefits: State whether signing is a condition of treatment, payment, enrollment, or eligibility for benefits. Generally, it is not a condition, with limited exceptions (for example, research-related treatment, pre-enrollment underwriting, or care provided solely to create PHI for a third party).
• Re-Disclosure Notice: Inform the individual that information disclosed to a recipient may be re-disclosed and no longer protected by HIPAA once it leaves the covered entity.

If applicable

• For marketing or sale of PHI, include the required statement that remuneration will result, when applicable.
• For psychotherapy notes, use a separate authorization dedicated to those notes.

Prohibited Practices in HIPAA Authorizations

• Do not use vague or overly broad descriptions of PHI; a precise scope is required.
• Do not rely on pre-checked boxes, blank fields, or illegible terms; the individual must make an informed, specific choice.
• Do not condition treatment, payment, enrollment, or eligibility for benefits on signing, except in the limited circumstances permitted by HIPAA and stated in the form.
• Do not combine (“bundle”) an authorization with unrelated documents or consents, except where HIPAA explicitly allows (for example, certain research contexts).
• Do not use an expired or revoked authorization, and do not disclose beyond the scope described.
• Do not disclose psychotherapy notes or sell PHI without an authorization that meets the additional content requirements.

Expiration and Revocation Procedures

Meeting Expiration Date Requirements

Use a calendar date (for example, 11/07/2026) or an event tied to the individual or purpose (for example, “end of appeal,” “completion of study”). For some research-related authorizations, an event such as “end of research” or, where permitted, “no expiration” may be appropriate; ensure your choice aligns with your use case and policy.

How to process a Written Revocation

Tell individuals exactly how to submit revocation (for example, mailing address or secure portal) and to whom it should be directed. Upon receipt, cease further use or disclosure under the authorization, except to the extent you already acted in reliance. Document the revocation, notify relevant staff and business associates, and update release logs so no further disclosures occur under the revoked authorization.

Authorized Disclosures and Recipients

Identifying recipients correctly

List the recipient’s name or provide other specific identification sufficient to uniquely describe who may receive the PHI (for example, “ABC Insurance underwriting department,” “Dr. Lee at River Clinic,” or “Any licensed clinician involved in Ms. Doe’s home health episode”). Include role or organization and, where helpful, contact information to avoid misrouting.

Scoping the release

Match the Description of Information to be Disclosed to the purpose and recipient. Use date ranges, service types, or document categories to define scope. While the minimum necessary standard does not apply to disclosures made with a valid authorization, a narrowly tailored description protects privacy and reduces risk.

Documentation and Signature Guidelines

Signatures, dating, and authority

Ensure the individual’s signature and date appear on the form. When someone signs on the individual’s behalf, record the Personal Representative Authority (such as court-appointed guardian, health care power of attorney, or parent of a minor where applicable). Electronic signatures are acceptable if they are legally valid and your process verifies identity and intent.

Providing a Signed Authorization Copy and record retention

Give the individual a Signed Authorization Copy for their records. Retain the authorization and any revocation for your policy’s retention period (commonly at least six years from creation or last effective date). Keep versions, timestamps, and audit trails to prove authenticity and timing.

Quality checks

• Verify all required elements and statements are present before honoring the request.
• Confirm the expiration has not passed and no revocation is on file.
• Ensure names, dates, and identifiers are accurate and readable.

Summary

To meet HIPAA authorization requirements, include the core elements, the mandated statements, and clear Expiration Date Requirements; avoid prohibited practices; identify recipients precisely; and document signatures, authority, and revocations. Following these steps makes your authorizations valid, understandable, and defensible.

FAQs

What are the necessary components of a valid HIPAA authorization?

A valid authorization includes: a precise Description of Information to be Disclosed; who may disclose; who may receive; the purpose; an expiration date or event; the individual’s signature and date; and, if applicable, a statement of Personal Representative Authority. It must also include the required statements about revocation, conditioning, and re-disclosure.

How can an individual revoke a HIPAA authorization?

They submit a Written Revocation to the contact named on the form (for example, the privacy office). Revocation is effective when received and stops further use or disclosure under that authorization, except for actions already taken in reliance or as otherwise allowed by law.

Can treatment be conditioned on signing a HIPAA authorization?

Generally, no. HIPAA prohibits Conditioning of Benefits—including treatment, payment, enrollment, or eligibility—on signing, with limited exceptions such as research-related treatment, pre-enrollment underwriting, or care provided solely to create PHI for a third party. If an exception applies, the authorization must clearly say so.

What information must be included about the recipient of disclosed information?

You must identify the recipient by name or provide other specific identification that clearly describes who may receive the PHI (for example, a named organization, department, or role). Include enough detail to prevent misdirection and to align the scope of the disclosure with the recipient and purpose.