Required Elements of a HIPAA Authorization Form: 45 CFR 164.508 Checklist

Core Elements of a HIPAA Authorization Form

Under 45 CFR 164.508, an individual authorization is valid only if it contains all core elements. Use the checklist below to ensure every required item is present and clearly stated.

Core elements checklist

• Description of PHI: Identify the information to be used or disclosed in specific, meaningful terms (for example, “complete cardiology records from January 2023–present”).
• Who may disclose: Name the covered entity (or specific workforce members or a class of persons) authorized to make the disclosure.
• Who may receive: Name the person, organization, or class of persons authorized to receive the PHI.
• Purpose of use/disclosure: State the reason for the disclosure, or use “at the request of the individual” when appropriate.
• Expiration: Include an authorization expiration date or a clear event tied to the individual or the purpose (for example, “end of treatment episode”).
• Signature and date: Obtain the individual’s signature and date; if signed by a personal representative, describe the representative’s authority to act for the individual.

Each element should be easy to locate and written in plain language so the individual understands the disclosure permission being granted and its limits.

Required Statements in a HIPAA Authorization Form

Beyond the core elements, 45 CFR 164.508 requires three statements that inform the individual about consequences and choices.

• Revocation rights: Explain that the individual may revoke the authorization in writing at any time and describe how to submit the revocation, including any exceptions (for example, actions already taken in reliance on the authorization).
• Conditioning notice: State whether the covered entity will condition treatment, payment, enrollment, or eligibility for benefits on signing the authorization, and, if so, the consequences of refusing to sign.
• Re-disclosure notice: Warn that information disclosed may be subject to re-disclosure by the recipient and may no longer be protected by HIPAA.

These statements ensure the individual understands their revocation rights, potential outcomes of declining to sign, and the risk that disclosed PHI could be shared further by others.

Additional Requirements for HIPAA Authorization Forms

HIPAA also imposes form, content, and process requirements that support transparency and informed decision-making.

• Plain language requirement: Draft the authorization in straightforward, non-technical language that an average reader can understand.
• Copy to the individual: Provide a copy of the signed authorization to the individual for their records.
• Scope limits: Do not combine an authorization with other documents if doing so could confuse or coerce the individual; special rules apply to research, marketing, and psychotherapy notes.
• Special-case statements: If the authorization permits marketing or the sale of PHI, include a statement that the covered entity will receive financial remuneration, as applicable.
• Psychotherapy notes: Uses and disclosures of psychotherapy notes generally require a distinct, specific authorization.
• Record retention: Maintain signed authorizations and any related documentation as required by HIPAA privacy rule recordkeeping standards.
• Electronic execution: Paper or electronic signatures are acceptable if valid under applicable law and if all HIPAA elements and statements are present.

Signature and Expiration Details

A valid authorization must be executed by the individual (or their personal representative) and must clearly state when it ends.

Signature specifics

• Individual signature and date: The form is not effective until signed and dated by the individual.
• Personal representative: If a representative signs, include a description of the representative’s authority (for example, healthcare power of attorney).

Authorization expiration

• Date or event: Use a calendar date (for example, “12/31/2026”) or an event related to the individual or disclosure purpose (for example, “end of litigation”).
• Research scenarios: For research, it is common to use events such as “end of the research study.” For certain repositories or databases, longer or open-ended timeframes may be used as permitted by HIPAA.
• Clarity matters: Vague statements like “until revoked” are not sufficient by themselves; pair them with a clear date or event to avoid an invalid authorization.

Always verify that authorization expiration is stated plainly and that it aligns with the intended purpose and duration of the disclosure.

Purpose and Scope of Disclosure

The form must define why PHI will be used or disclosed and the boundaries of that disclosure permission.

Defining the purpose

• Purpose description: Identify the reason (for example, coordination with a specialist, legal claim, or insurance review) or indicate “at the request of the individual.”
• Alignment: Ensure the scope of PHI requested fits the stated purpose and does not exceed what is reasonably necessary for that purpose.

Setting the scope

• Type of PHI: Specify categories (for example, diagnostic images, lab results, billing statements) and relevant date ranges.
• Who may use/disclose and who may receive: Identify the covered entity or class of disclosers, and the designated recipients or class of recipients.
• Method and frequency: Note if disclosures are one-time or ongoing during the authorization window, and whether they may occur electronically, by mail, or in person.

Clear purpose and scope language helps individuals understand exactly what they are authorizing and helps covered entities administer disclosures consistently.

Rights and Revocation Process

HIPAA protects the individual’s ability to change their mind and limits when authorizations can be required.

Exercising revocation rights

• How to revoke: The form must explain how to submit a written revocation (for example, mailing, secure portal, or in-person delivery to the privacy office).
• Effect of revocation: Revocation stops future uses and disclosures under the authorization but does not affect actions already taken in reliance on it.
• Insurance caveat: If the authorization was a condition of obtaining insurance coverage, the insurer may retain rights under the policy to contest a claim or the policy itself.

Refusing to sign and alternatives

• Refusal: Individuals may refuse to sign; treatment or benefits generally cannot be conditioned on an authorization, except in limited, permitted circumstances (for example, research-related treatment).
• Alternatives: Individuals can request access to their own PHI or request restrictions independent of any authorization.

Summary

To comply with 45 CFR 164.508, ensure every authorization includes all core elements, the three required statements, clear signature and authorization expiration details, and plain language instructions for scope and revocation. Doing so protects individual autonomy, supports informed disclosure permission, and helps covered entities demonstrate compliant, consistent practices.

FAQs.

What are the core elements required in a HIPAA authorization form?

Six elements are required: a specific description of the PHI; who may disclose; who may receive; the purpose of use or disclosure (or “at the request of the individual”); an expiration date or event; and the individual’s signature and date, including a description of representative authority when applicable.

How must the authorization form be formatted according to HIPAA rules?

HIPAA requires a plain language requirement and easy-to-find elements. The authorization may be paper or electronic, must be distinct from other documents when needed to avoid confusion, must include the three required statements, and a copy of the signed form must be provided to the individual.

What rights does an individual have regarding revoking a HIPAA authorization?

An individual may revoke in writing at any time. Revocation halts future uses and disclosures under the authorization but does not undo actions already taken in reliance on it. If the authorization was a condition of obtaining insurance coverage, the insurer may retain limited rights to contest a claim or the policy.

How is the expiration or event related to the authorization determined?

Choose a date or event tied to the purpose or the individual—such as a calendar date, “end of treatment,” or “end of litigation.” For research, “end of the research study” is common; certain repositories may justify longer or open-ended timeframes as permitted by HIPAA. The expiration must be clear and specific to keep the authorization valid.