HIPAA Authorization Requirements: When It’s Required and What Must Be Included

Understanding HIPAA authorization requirements helps you decide when you must obtain written permission before using or disclosing Protected Health Information (PHI) and what that authorization must contain. This guide explains when authorization is required, the mandatory elements and statements, and how issues like research, state law, and re-disclosure affect compliance.

HIPAA Authorization Requirement

Under the HIPAA Privacy Rule, a covered entity (health care provider, health plan, or health care clearinghouse) needs an individual’s written authorization for uses or disclosures of PHI that are not otherwise permitted or required by law.

When authorization is typically required

• Marketing communications, particularly when there is financial remuneration from a third party.
• Sale of PHI or any disclosure that results in direct or indirect payment for PHI.
• Most disclosures to third parties for non–treatment, payment, or health care operations (TPO) purposes, such as disclosures to employers, life insurers, or attorneys (unless another permission applies).
• Psychotherapy notes, except for limited uses (e.g., by the originator for treatment, training programs, or when required by law).
• Research uses or disclosures of PHI when a waiver/alteration has not been approved and the data are not de-identified or a limited data set with a data use agreement.

When authorization is not required

• Treatment, payment, and health care operations.
• Disclosures to the individual or their personal representative.
• Disclosures required by law, for public health and health oversight, for certain law enforcement purposes, and to avert a serious threat to health or safety.
• Incidental disclosures that occur as a byproduct of an otherwise permitted use or disclosure with reasonable safeguards in place.

Core Elements of HIPAA Authorization

To be valid, an authorization must include all core elements below and be signed and dated by the individual (or their personal representative).

• A specific and meaningful description of the PHI to be used or disclosed.
• The name or other specific identification of the person(s) or class authorized to make the requested use or disclosure.
• The name or other specific identification of the person(s) or class to whom the covered entity may disclose the PHI.
• The purpose of the requested use or disclosure (or “at the request of the individual”).
• An Authorization Expiration date or a specific event after which the authorization expires (e.g., “end of research study,” “none” if permitted for Research Authorization).
• The individual’s signature and date; if signed by a personal representative, a description of their authority to act for the individual.

Plain Language Requirement

The authorization must be written in plain language so a reasonable person can understand what PHI will be used or disclosed, by whom, to whom, for what purpose, for how long, and with what risks.

Required Statements in HIPAA Authorization

HIPAA also requires clear statements that explain rights and limits associated with the authorization.

• Authorization Revocation: You have the right to revoke the authorization in writing at any time, with a description of how to exercise this right and any exceptions (e.g., actions already taken in reliance).
• Conditioning: Whether the covered entity may condition treatment, payment, enrollment, or eligibility for benefits on signing the authorization, and the consequences of refusal where conditioning is permitted.
• Re-disclosure Notice: PHI disclosed per the authorization may be subject to re-disclosure by the recipient and may no longer be protected by HIPAA (subject to other applicable PHI Disclosure Restrictions).

Additional statements for specific situations

• Marketing with financial remuneration must state that remuneration is involved.
• Sale of PHI must state that the disclosure will result in payment to the covered entity.
• Research Authorization may include optional elements such as the ability to opt in to future contact or future unspecified research if described appropriately.

Informed Consent vs. HIPAA Authorization

Informed consent and HIPAA authorization serve different purposes. Informed consent documents a patient’s agreement to receive a medical procedure or participate in clinical care after understanding the risks, benefits, and alternatives. HIPAA authorization, by contrast, permits the use or disclosure of PHI for a particular purpose not otherwise allowed by HIPAA.

Some organizations also use a general consent for treatment, payment, and operations, but that consent is optional under HIPAA and separate from an authorization. State laws or professional standards may still require consent for certain activities even when HIPAA would not.

Validity of HIPAA Authorization

An authorization is valid if it is complete, signed and dated, written in plain language, not expired, and not revoked. It must not be combined with another document unless HIPAA specifically allows a compound authorization (e.g., certain research scenarios).

Common reasons an authorization is invalid

• Missing core elements or required statements.
• Authorization Expiration date/event omitted or already passed.
• Improper or missing signature, or no description of a personal representative’s authority.
• Illegible or confusing language that undermines the Plain Language Requirement.

Unless another law applies, PHI disclosed pursuant to a valid authorization is generally not limited by the HIPAA “minimum necessary” standard because the scope is defined by the authorization itself.

Special Considerations for Research

Research Authorization can be a standalone document or combined with informed consent if permitted. For ongoing or future research, HIPAA allows a description that is sufficiently clear to reasonably place the individual on notice of the types of research that may use or disclose their PHI.

• Compound authorizations are permitted in many research settings if clear choices are provided (e.g., permitting treatment-related research and a separate option for repository use).
• Expiration may be stated as “end of the research study” or, when allowed, “none.”
• IRB or Privacy Board waivers/alterations may authorize use/disclosure without individual authorization when criteria are met (e.g., minimal risk to privacy, practicability concerns, adequate safeguards).
• Certain activities—preparatory to research, research solely on decedents, or use of de-identified data or limited data sets with a data use agreement—do not require individual authorization.

State-Specific Requirements

HIPAA sets a federal floor. If a state law provides stronger privacy protections or greater individual rights, the more stringent state rule controls. You must account for these additional PHI Disclosure Restrictions.

• Some states require specific formats, additional notices, witness signatures, or shorter Authorization Expiration periods.
• Sensitive categories such as mental health records, HIV status, genetic information, reproductive health, and minors’ records often carry extra consent or redisclosure limits.
• Other federal laws (for example, confidentiality rules for substance use disorder treatment records) may impose stricter controls that operate alongside state law and HIPAA.

Always verify applicable state statutes and any specialized federal rules for the location where care is provided and PHI is held.

Revocation of HIPAA Authorization

Individuals may revoke authorization at any time by submitting a written statement to the covered entity, using the contact method described in the form. Authorization Revocation does not affect uses or disclosures already made in reliance on the authorization, or other actions allowed or required by law.

Practical steps to process revocation

• Record the date the revocation is received and acknowledge receipt to the requester.
• Notify workforce members and business associates as appropriate to stop further uses/disclosures under the revoked authorization.
• Document the revocation in the designated record set and retain it per record-retention policies and applicable law.

Conditioning of Treatment on Authorization

As a general rule, a covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on an individual’s signing an authorization.

Limited exceptions

• Research-related treatment: A provider may condition participation in a research protocol on signing a Research Authorization for that protocol.
• Care provided solely to create PHI for disclosure to a third party: A provider may require authorization as a condition of furnishing that service (e.g., an exam to provide a report to an employer or insurer).
• Health plan enrollment or eligibility determinations: A health plan may condition enrollment or eligibility on an authorization needed for permissible underwriting or risk-rating activities, subject to other laws.

Re-disclosure of PHI

Every authorization must warn that Protected Health Information (PHI) disclosed may be subject to re-disclosure by the recipient and may no longer be protected by HIPAA. However, other laws, contracts, or policies can still impose PHI Disclosure Restrictions.

• Recipients who are covered entities or business associates remain bound by HIPAA for their own uses/disclosures.
• Data use agreements for limited data sets, and confidentiality rules for certain sensitive records, may prohibit re-disclosure without further permission.
• When feasible, limit the scope in the authorization itself to reduce downstream re-disclosure risk.

Conclusion

To comply with HIPAA Authorization Requirements, confirm whether authorization is needed, use a plain-language form with all core elements and required statements, set a clear expiration, and document any revocation. Account for research-specific rules, state law, and re-disclosure limitations to protect individuals and reduce organizational risk.

FAQs

When is HIPAA authorization required?

You need authorization for uses or disclosures of PHI not otherwise permitted by HIPAA, such as most third-party requests unrelated to treatment, payment, or operations; marketing with financial remuneration; sale of PHI; psychotherapy notes (with narrow exceptions); and many research disclosures when no waiver applies.

What elements must be included in a HIPAA authorization?

Include a meaningful PHI description; who may use/disclose and to whom; purpose; Authorization Expiration date or event; signature/date (and representative authority if applicable); plus required statements on Authorization Revocation, conditioning, and potential re-disclosure. The form must meet the Plain Language Requirement.

How can an individual revoke a HIPAA authorization?

Submit a written revocation to the covered entity using the instructions provided on the authorization. Revocation stops future uses/disclosures under that authorization but does not undo actions already taken in reliance on it or other disclosures allowed or required by law.

Can treatment be conditioned on providing HIPAA authorization?

Generally no. Limited exceptions allow conditioning: research-related treatment, services performed solely to create PHI for a third party, and certain health plan enrollment or eligibility determinations permitted by law. Outside these scenarios, treatment or payment cannot be conditioned on signing an authorization.