HIPAA Patient Authorization Form: 45 CFR 164.508 Requirements, Revocation Rights, and Redisclosure Notices

Core Elements of HIPAA Authorization

Under 45 CFR 164.508, a valid HIPAA patient authorization must contain specific, foundational items. These elements ensure patient consent is informed, targeted, and auditable for covered entity compliance.

Elements you must include

• Description of PHI: Identify the information in a specific and meaningful way (for example, “office visit notes from 10/01/2025–10/31/2025,” not “all records”).
• Who may disclose: Name or specifically identify the person or class of persons authorized to disclose the information.
• Who may receive: Name or specifically identify the person or class of persons to whom the disclosure may be made.
• Purpose of disclosure: State each purpose, or use “at the request of the individual” if the patient prefers not to specify.
• Expiration of authorization: Include a date or event tied to the individual or the purpose (for example, “one year from signature” or “at the conclusion of the appeal”). Certain research authorizations may use “end of the research study,” and some research repositories may allow no expiration, as permitted by the rule.
• Signature and date: The individual must sign and date. If a personal representative signs, include a description of authority (for example, legal guardian).

Practical scope control

Although the minimum necessary standard does not apply to disclosures made pursuant to a valid authorization, you should narrowly describe the PHI to be disclosed. Doing so aligns with patient consent expectations and reduces redisclosure risks downstream.

Required Statements for Patient Consent

Beyond the core elements, 45 CFR 164.508 requires specific statements that clarify rights and consequences. Include all applicable statements below.

• Right to revoke in writing: Explain that the individual may revoke the authorization in writing at any time, how to do so, and the exceptions—such as actions already taken in reliance on the authorization or, in some cases, when the authorization was a condition of obtaining insurance coverage and other law allows the insurer to contest a claim or policy.
• Treatment conditioning disclosure: State whether signing is a condition of treatment, payment, enrollment, or eligibility for benefits. If you can condition care (for example, research-related treatment or services provided solely to create PHI for a third party), describe the consequences of declining to sign.
• Redisclosure risks notice: Inform the individual that information disclosed under the authorization may be subject to redisclosure by the recipient and may no longer be protected by HIPAA.
• Marketing or sale of PHI (when applicable): If the authorization covers marketing communications or the sale of PHI, clearly state that the covered entity may receive remuneration, as required by the rule.

Plain Language Requirements

The authorization must be written in plain language. Your goal is clarity: a reasonable person should understand what will be disclosed, to whom, for what purpose, for how long, and how to revoke.

Tips to meet the plain-language standard

• Use everyday terms and define necessary acronyms (for example, “PHI means your health information that identifies you”).
• Organize with short sentences, clear headings, and concise bullets; avoid legalese and cross-references that force the reader to hunt for meaning.
• Spell out who will send the information and who will receive it, using names or simple descriptions (for example, “Dr. Smith’s office,” “XYZ Research Team”).
• State the expiration in a straightforward way and give concrete examples of what is and is not included.
• Provide a simple “How to revoke” instruction with a mailing or email address and a contact point for questions.

Providing Copies to Individuals

Covered entities must provide the individual with a copy of the signed authorization. The simplest approach is to hand or send a copy immediately after signature, whether the form is on paper or electronic.

Operational practices for covered entity compliance

• Deliver the copy promptly: Provide a paper or electronic copy at or right after signing; confirm the individual’s preferred format.
• Retain records: Keep the signed authorization (and any revocation) as required by HIPAA documentation rules—generally at least six years from the date of creation or last effective date.
• Document delivery: Note when and how the copy was provided to the individual to create a clear compliance trail.
• Electronic workflows: If using e-signatures, ensure identity verification and maintain system logs that show who signed, when, and what was agreed to.

Revocation Rights and Procedures

Individuals may revoke an authorization at any time, provided the revocation is in writing. Your form must tell people exactly how to do this and where to send the revocation.

How to operationalize revocation in writing

• Accept written revocations: Allow mail, secure email, patient portal message, or in-person delivery to the privacy office or other designated contact.
• Act prospectively: Once received, stop further uses or disclosures based on that authorization. You may continue to use or disclose PHI already relied upon before receipt of the revocation, as permitted by the rule.
• Explain exceptions: If the authorization was required to obtain insurance coverage and other law permits the insurer to contest a claim or policy, note this limitation in your form.
• Notify downstream parties when feasible: Update internal systems, alert business associates as appropriate, and document the revocation and effective date.
• Confirm to the patient: Send a brief confirmation that the revocation was processed and the effective date, reinforcing transparency and trust.

Redisclosure Notice Obligations

Your authorization must warn about redisclosure risks: once PHI is disclosed to a recipient that is not subject to HIPAA, it may be re-shared and may no longer be protected by the HIPAA Privacy Rule. This transparency is essential to informed patient consent.

Reducing redisclosure risks in practice

• Limit scope: Describe only the PHI necessary to fulfill the request; narrower descriptions reduce exposure if redisclosure occurs.
• Name recipients precisely: Identify the specific organization(s) or role(s) receiving the PHI; avoid open-ended classes when possible.
• Use purpose-bound expirations: Tie the expiration of authorization to the stated purpose so access does not extend longer than needed.
• Recognize stronger protections: Certain data (for example, substance use disorder information under federal law or sensitive data under state law) may carry extra protections even after disclosure; tailor your notice language accordingly.

Conclusion

A compliant HIPAA authorization under 45 CFR 164.508 clearly identifies the PHI, the sender and recipient, the purpose, the expiration of authorization, and includes mandatory statements on revocation in writing, treatment conditioning, and redisclosure risks. Provide a copy to the individual, retain records, and implement straightforward revocation procedures. These steps align patient consent with covered entity compliance and reduce legal and operational risk.

FAQs

What information must be included in a HIPAA authorization form?

A valid form includes the core elements: a specific description of the PHI; who may disclose it; who may receive it; the purpose of disclosure (or “at the request of the individual”); an expiration date or event; and the individual’s signature and date (plus the representative’s authority, if applicable). It must also include required statements on revocation, treatment conditioning, and redisclosure risks, and any applicable statement about remuneration for marketing or sale of PHI.

How can an individual revoke a HIPAA authorization?

At any time, the individual may revoke in writing by sending a signed revocation to the covered entity’s designated contact (for example, the privacy office). After receipt, the entity must stop future uses or disclosures under that authorization, except to the extent it has already acted in reliance or where other law allows an insurer to contest a claim or policy when the authorization was required for coverage.

What are the risks of redisclosure after authorization?

When PHI is disclosed to a recipient not covered by HIPAA, it may be redisclosed and may no longer be protected by HIPAA. You can mitigate redisclosure risks by limiting the scope of PHI authorized, naming recipients precisely, tying the expiration to the purpose, and recognizing categories that retain enhanced protections under other laws.

When must a covered entity provide a copy of the authorization?

The covered entity must provide the individual with a copy of the signed authorization. Best practice is to deliver the copy immediately after signature in the individual’s preferred format (paper or electronic) and keep documentation showing when and how it was provided.