Requirements for HIPAA Authorization: What Your Form Must Include

If you create or review authorization forms, you need a clear, practical checklist. This guide explains the requirements for HIPAA authorization and the added rules that apply in California under CMIA, LPS, and substance use disorder (SUD) laws. Use it to confirm your form’s elements, required statements, and state-specific add‑ons.

Core Elements of HIPAA Authorization

Describe the health information disclosure precisely

• Identify the exact records to be released (dates, types, sources). Avoid “all records” unless you truly mean it and include specific uses limitations to prevent over‑sharing.
• State the purpose of the disclosure, or note “at the request of the individual” when appropriate.

Name who may disclose and who may receive

• List the disclosing covered entity or business associate and the recipient(s) by name or specific identification.

Set a validity expiration date or event

• Include a clear Validity Expiration Date or an Expiration Event (for example, “end of research study” or “upon claim resolution”).

Obtain required signatures

• Include the individual’s signature and date.
• If someone signs on the patient’s behalf, capture the Patient Representative Signature and describe the representative’s authority or relationship.

Write in plain language and give a copy

• Use straightforward language; avoid legal jargon.
• Provide the individual with a copy of the authorization for their records and reference your Notice of Privacy Practices for broader privacy rights.

Required Statements in HIPAA Authorization

Revocation instructions

Explain that the individual may revoke the authorization at any time in writing, describe exactly how to submit the revocation (where and to whom), and note that revocation does not affect disclosures already made in reliance on the authorization. Place these Revocation Instructions prominently.

Conditions of treatment, payment, or benefits

State whether the covered entity will condition treatment, payment, enrollment, or eligibility for benefits on signing. As a rule, conditioning is not permitted, with limited exceptions (for example, research-related treatment, pre‑enrollment underwriting, or services provided solely to create information for a third party).

Potential for re-disclosure

Inform the individual that information disclosed pursuant to the authorization may be re‑disclosed by the recipient and may no longer be protected by HIPAA. Note that special rules apply to certain categories (for example, SUD records under federal and California law) that restrict re‑disclosure.

Marketing, sale of PHI, and special categories

• State if the disclosure involves marketing or financial remuneration to the covered entity.
• Obtain a separate authorization for psychotherapy notes if they are to be disclosed.

CMIA-Regulated Authorization Form Requirements

Apply the more stringent rule

California’s Confidentiality of Medical Information Act (CMIA) may be more protective than HIPAA. When CMIA is stricter, follow CMIA. Your authorization should be specific, time‑limited, and no broader than necessary.

Content to include under CMIA

• A precise description of the medical information and any specific uses limitations (for example, “disclose only imaging reports from 2023–2025 to ABC Orthopedics”).
• The identity of the disclosing provider and the authorized recipient(s).
• A stated purpose for the disclosure.
• A clear Validity Expiration Date or Expiration Event.
• Revocation Instructions and how to submit them.
• The individual’s signature and date; if applicable, the Patient Representative Signature with a description of authority.
• A reminder to the recipient that California law may restrict re‑disclosure beyond what HIPAA allows.

Practical California cautions

• Some categories (for example, HIV test results, genetic information, certain minors’ records) have additional state consent or re‑disclosure limits; do not rely on a broad, general authorization for these.
• Provide a copy of the signed authorization and retain it in the record per your retention policy.

LPS-Regulated Authorization Form Requirements

Scope of LPS protections

The Lanterman‑Petris‑Short (LPS) Act tightly protects mental health records maintained by county mental health programs and certain facilities. Disclosures typically require a specific, time‑limited authorization or an applicable statutory exception.

Authorization content for LPS-covered records

• Identify the mental health provider or facility and the precise information to be released (for example, diagnosis, medications, treatment plan, discharge summary).
• State the purpose, recipient(s), and the Validity Expiration Date or an Expiration Event tied to a care milestone.
• Include Revocation Instructions and a caution that further disclosure may be restricted by California law.

Patient representatives and conservators

• When a court‑appointed conservator or other legally authorized representative signs, record the Patient Representative Signature and describe the authority (for example, “LPS conservator of person”).
• Psychotherapy notes and particularly sensitive content should be handled with heightened specificity and separate authorization when required.

SUD and Cal. Health & Safety Code Regulated Authorization Form Requirements

Records covered

Substance use disorder (SUD) treatment records may be protected by federal confidentiality rules and California Health & Safety Code provisions. These rules often require more detailed consent and impose strict limits on re‑disclosure.

Mandatory consent elements

• Patient’s name; the program or provider authorized to disclose; and the specific recipient(s).
• A description of the SUD information to be disclosed and the purpose of the disclosure.
• A Validity Expiration Date or an Expiration Event (for example, “completion of aftercare program”).
• Revocation Instructions, clarifying that revocation is prospective.
• The patient’s signature and date; if signed by a representative, include the Patient Representative Signature and authority.

Redisclosure warning and minimum necessary

• Accompany disclosures with a prohibition-on-redisclosure notice, reflecting that SUD information cannot be re‑disclosed unless permitted by law or authorized by the patient.
• Disclose only what is reasonably necessary to accomplish the stated purpose, even when you have a valid authorization.

Conclusion

To satisfy the requirements for HIPAA authorization and California’s CMIA, LPS, and SUD rules, build a form that is specific, time‑bound, and transparent. Spell out the health information disclosure, purpose, recipients, Validity Expiration Date or Expiration Event, and Revocation Instructions, and capture the correct Patient Representative Signature when applicable. Align the form with your Notice of Privacy Practices and add California‑specific cautions where stricter rules apply.