Requirements for a HIPAA Authorization Form: What Must Be Included for Compliance

Core Elements of a HIPAA Authorization Form

What you must include

• Specific description of the protected health information (PHI) to be used or disclosed (for example, “diagnoses and lab results from 2023–2025”).
• Name or other unique identification of the person or organization authorized to disclose the PHI (such as a hospital, clinic, or provider).
• Name or identification of the person or entity permitted to receive the PHI (for example, a specialist, attorney, or Health Care Service Plan).
• Purpose for the use or disclosure (for treatment, legal claim, insurance review, personal use, or another stated reason).
• An expiration date or a clear Expiration Event (for example, “end of appeal,” “completion of treatment,” or a calendar date).
• Patient Authorization Signature and date.
• If signed by a personal representative, a description of that person’s authority or relationship to the patient.
• Plain-language presentation so the average reader can understand the authorization.

Authorization vs. Notice of Privacy Practices

Your Notice of Privacy Practices explains routine uses of PHI allowed by law, while an authorization is your explicit permission for a non-routine use or disclosure. If an activity is not covered by routine permissions, you must supply a valid authorization with the elements above.

Required Statements in a HIPAA Authorization Form

• Revocation of Authorization: a statement that you may revoke the authorization in writing at any time, with a brief description of how to do so, and an explanation that revocation does not affect actions already taken in reliance on the authorization.
• Conditioning statement: whether a provider, plan, or program may condition treatment, payment, enrollment, or eligibility on signing. In most cases, they may not; limited exceptions must be disclosed when they apply.
• Redisclosure notice: a warning that PHI disclosed pursuant to the authorization may be subject to redisclosure by the recipient and might no longer be protected by HIPAA.
• If applicable, a marketing statement that identifies any direct or indirect payment the disclosing entity receives for a marketing-related disclosure.
• If applicable, a sale-of-PHI statement indicating that the disclosure involves remuneration in exchange for PHI.
• Separate treatment for psychotherapy notes: if psychotherapy notes are involved, obtain a distinct authorization specific to those notes.

CMIA-Regulated Authorization Form Requirements

In California, the Confidentiality of Medical Information Act (CMIA) adds requirements that complement HIPAA. A CMIA-compliant authorization should, at minimum, include the HIPAA core elements and the required statements above, plus California-specific details to increase specificity and patient control.

California-specific expectations

• Identify the discloser and recipient with specificity, including any Health Care Service Plan, affiliated IPA, or third-party administrator by name when known.
• Precisely describe the categories of information to be released and any limitations on use (for example, “exclude genetic testing results” or “for claims audit only”).
• State that signing is voluntary and that refusal will not affect care or benefits, except where limited exceptions apply and are explained.
• Explain the right to receive a copy of the signed authorization.
• Explain the right to revoke and where to send the written revocation (for example, medical records department or privacy office).
• Include a clear expiration date or Expiration Event and any shorter timeframes required by policy.
• Obtain the Patient Authorization Signature and, if applicable, the personal representative’s authority (e.g., guardian, conservator, or health care agent).

When sensitive categories are involved (for example, HIV test results, genetic information, or reproductive health data), verify whether California law requires additional language or a separate, more specific authorization.

LPS-Regulated Authorization Form Requirements

The Lanterman-Petris-Short (LPS) Act governs mental health treatment records held by county and designated mental health facilities. Disclosures outside the Act’s built-in exceptions generally require the patient’s written permission.

Key elements for mental health records

• Identify the mental health program or facility and the specific records to be disclosed (admission, treatment plans, discharge summaries), using a Mental Health Facility Authorization when appropriate.
• Name the recipient(s) precisely (for example, a specific family member, public guardian, or court-appointed attorney) and state the purpose (continuity of care, benefits, legal proceedings).
• Set a short, definite expiration and limit redisclosure to what the LPS Act permits; add a reminder that state law may restrict further sharing.
• If a legal guardian, conservator, or other authorized representative signs, describe the authority under which they act.

Because mental health records can contain particularly sensitive information, use the minimum necessary scope, segregate psychotherapy notes when present, and consider a stand-alone authorization to avoid overbroad releases.

SUD- and HSC-Regulated Authorization Form Requirements

Substance Use Disorder Information is protected by federal regulations (42 CFR Part 2) and, in California, by the Health and Safety Code (HSC). These standards impose stricter consent content and redisclosure limits than HIPAA for SUD records.

Core consent content for SUD disclosures

• Patient name and, where required, date of birth or another unique identifier.
• Specific name of the SUD program or provider permitted to disclose the information.
• Specific recipient(s) or, where allowed, a general designation (such as “my treating providers”), consistent with current rules.
• Purpose of the disclosure and how much/what kind of information will be shared (for example, medication list, treatment attendance, discharge status).
• Patient signature and date, plus representative authority if someone signs on the patient’s behalf.
• Revocation of Authorization statement and instructions.
• A definite expiration date, Expiration Event, or condition.

Required redisclosure notice and state additions

• Include the required prohibition-on-redisclosure notice with every SUD disclosure; recipients generally may not redisclose SUD records unless expressly permitted.
• When California HSC applies, incorporate any state-required notices, name the SUD facility or program specifically, and avoid bundling SUD consents with general medical releases unless permitted.
• Use narrow scopes and shorter expirations to maintain alignment with Part 2’s heightened protections.

Expiration and Revocation Conditions

Setting a compliant expiration

• Use a date (for example, “December 31, 2026”) or an Expiration Event (“upon final claim determination,” “end of research study”).
• A “no expiration” authorization is generally not allowed except in limited contexts (for example, certain research repositories where permitted); when in doubt, specify a concrete date or event.
• For SUD and mental health releases, choose shorter durations and narrowly tailored events to reduce risk.

How revocation works

• You may revoke at any time by sending written notice to the address or office named on the form (for example, the privacy office or medical records unit).
• Revocation stops future uses or disclosures based on the authorization; it does not undo disclosures already made in reliance on it.
• Keep a copy of your Revocation of Authorization with your records, and request written confirmation that the revocation was processed.

Signature and Patient Rights

Who can sign

• The patient signs and dates the authorization. This Patient Authorization Signature is mandatory for validity.
• If a personal representative signs, the form must describe the representative’s authority (for example, parent of a minor, court-appointed conservator, or health care agent).
• When state law lets minors consent to certain services (such as some mental health or SUD treatment), the minor may control those records and must sign their own authorization unless an exception applies.

Your rights

• You can refuse to sign; in most cases, refusal will not affect treatment or benefits, and any permissible conditioning will be clearly disclosed.
• You are entitled to a copy of the signed authorization.
• You can revoke in writing at any time, subject to reliance already made.
• You may limit scope by specifying the exact records, dates, recipients, and purposes.

Conclusion

To meet the requirements for a HIPAA authorization form, include the core elements, the mandated statements, and any added standards that apply under CMIA, LPS, and SUD/HSC rules. Use plain language, specify a tight scope, name recipients precisely, set a clear expiration, and document the Patient Authorization Signature and authority. These practices keep disclosures lawful, minimal, and aligned with patient expectations.

FAQs.

What information must be included in a HIPAA authorization form?

A valid authorization identifies the PHI to be released, who may disclose it, who may receive it, and why it is needed; sets an expiration date or Expiration Event; contains the Patient Authorization Signature and date; and, if a representative signs, states their authority. It also includes required statements about revocation, potential redisclosure, and whether signing is a condition of treatment or benefits.

How long is a HIPAA authorization form valid?

It remains valid until the stated expiration date or event occurs. Organizations often use durations like 6–12 months, but you can select any reasonable date or event. Certain research authorizations may use “end of the research study” or, where permitted, “none,” while SUD and mental health releases typically use shorter, definite periods.

Can a patient revoke their HIPAA authorization?

Yes. You can revoke at any time by sending a written request to the address named on the form. Revocation halts new uses and disclosures under that authorization but does not affect actions already taken in reliance on it.

What are the differences between HIPAA and CMIA authorization requirements?

Both require core elements and statements, but CMIA emphasizes greater specificity for California disclosures, such as naming a Health Care Service Plan when relevant, clarifying limits on use, and reinforcing the right to receive a copy and to revoke. Additional California laws—like LPS for mental health facilities and HSC provisions for Substance Use Disorder Information—impose stricter content and redisclosure limits beyond HIPAA in those contexts.