What a HIPAA Authorization Must Include: Required Elements and Checklist

A HIPAA authorization is a written permission that allows a covered entity to use or disclose protected health information (PHI) for a purpose not otherwise permitted by the HIPAA Privacy Rule. To achieve patient consent compliance, every authorization must contain specific, plain‑language elements. Use the checklists below to verify that your individual authorization supports a valid covered entity disclosure.

Description of Information

Your form must clearly identify exactly what PHI may be used or disclosed. Provide a specific and meaningful description—avoid vague phrases like “everything” unless you define scope with dates, categories, and exclusions. List data types (e.g., office notes, labs, imaging, billing), date ranges, and any sensitive categories that require special handling.

Be precise with high‑sensitivity records (e.g., psychotherapy notes, genetic information, substance use disorder records) and state if they are included or excluded. Although the “minimum necessary” standard does not apply to disclosures made under an authorization, limiting the scope to what is reasonably needed is a best practice for patient consent compliance.

Checklist

• Specific data types and date ranges are identified.
• Any sensitive categories are expressly included or excluded.
• Ambiguous terms (e.g., “all records”) are clarified with scope details.

Authorized Discloser

The authorization must name or otherwise specifically identify the person or organization permitted to disclose PHI. This is typically the health care provider or health plan making the covered entity disclosure. If multiple facilities or brands are involved, list each entity clearly to avoid confusion.

If a business associate will disclose on the covered entity’s behalf, the authorization should still identify the covered entity and make clear that disclosures may be carried out by its workforce or agents.

Checklist

• Covered entity is named with full legal or commonly used name.
• All relevant affiliates/locations are listed if needed.
• Role of agents/business associates is addressed where applicable.

Authorized Recipient

Identify the person(s) or organization(s) authorized to receive the PHI. Use full names and, when appropriate, contact details such as address, email, or fax to prevent misdirected disclosures. You may authorize multiple recipients if each is specifically identified.

When PHI will go to a third party outside HIPAA (for example, a consumer app or attorney), set the recipient’s identity out plainly so the individual understands who will receive the data.

Checklist

• Recipient’s full name or specific identification is provided.
• Contact information is included when operationally necessary.
• Multiple recipients are listed individually, not generically.

Purpose of Disclosure

The authorization must state the purpose for the use or disclosure. You may use a specific description (e.g., “coordination of legal claim,” “life insurance underwriting”) or the permitted shorthand “at the request of the individual.” The purpose should be understandable and tied to what is being disclosed.

For research or specialized purposes, describe the purpose in terms a reasonable person can follow. Avoid leaving this field blank; a clear purpose supports transparency and patient consent compliance.

Checklist

• Purpose is written in plain language the individual can understand.
• “At the request of the individual” is used appropriately when applicable.
• Scope of PHI aligns with the stated purpose.

Expiration Date or Event

Every authorization must include a valid expiration—either a calendar date or a specific event tied to the individual or the purpose (e.g., “one year from signature,” “end of litigation,” “completion of the research study”). The event should be concrete and objectively determinable to support authorization expiration tracking.

If certain specialized uses allow a longer or different term, state that clearly so the individual understands how long the authorization lasts before it lapses.

Checklist

• Expiration is stated as a date or clearly defined event.
• Timeframe is appropriate to the purpose of disclosure.
• Internal process exists to monitor and honor the expiration.

Signature and Date

A valid authorization must be signed and dated by the individual (or by a personal representative, if applicable). Signatures may be written or electronic consistent with applicable law and your organization’s policies. The date reflects when the individual gave permission and starts the clock toward authorization expiration.

Make sure the individual receives a copy of the signed authorization. Retain the authorization according to your record‑keeping requirements to support future audits under the HIPAA Privacy Rule.

Checklist

• Individual’s signature and signature date are present and legible.
• Electronic signature, if used, meets legal and policy standards.
• Copy provided to the individual; original retained appropriately.

Personal Representative Authority

If someone other than the individual signs, the authorization must describe that person’s authority to act (e.g., health care power of attorney, court‑appointed guardian, parent of a minor where permitted). This personal representative designation helps the covered entity validate the signer’s role.

Your workflow should include verification of documents that establish authority and note any limitations (for example, situations where state law restricts parental access to specific services).

Checklist

• Signer is identified as a personal representative when applicable.
• Authority to act (type and source) is described on the form.
• Verification steps and any state‑law limits are documented.

Right to Revoke

The authorization must inform the individual of the right to revoke at any time in writing and explain how to do so (the revoke authorization process). Include where to send revocations, required identifiers (e.g., name, DOB, record number), and any form your organization prefers. State the exceptions: revocation does not affect actions already taken in reliance on the authorization.

If a health plan conditioned enrollment or eligibility on obtaining the authorization, note any limits on revocation related to that specific context so the individual understands the implications.

Checklist

• Clear instructions to revoke in writing are provided.
• Mail/email/fax options and contact information are listed.
• Exceptions (actions already taken) are explained plainly.

Redisclosure Warning

Include a statement that PHI disclosed under the authorization may be redisclosed by the recipient and may no longer be protected by HIPAA. This notice helps set realistic expectations when PHI leaves the covered entity’s environment.

Where other laws offer added protections (for example, certain state laws or federal substance use disorder rules), you may clarify that those laws could still apply, but the HIPAA Privacy Rule no longer governs the recipient’s handling once the disclosure occurs.

Checklist

• Required redisclosure warning is prominently stated.
• Language explains possible loss of HIPAA protections after disclosure.
• Any additional protections are acknowledged in general terms.

Conditioning of Treatment

The authorization must state whether signing is a condition of receiving treatment, payment, enrollment, or eligibility for benefits. In most situations, a covered entity may not condition treatment or payment on an authorization. Limited exceptions exist (for example, research‑related treatment or certain health plan functions). If you will condition in a permitted scenario, describe the consequences of refusing to sign.

Use straightforward language so individuals understand that care typically does not depend on an authorization and, where it does, why and how it affects them.

Checklist

• Statement clearly indicates whether signing is a condition of services.
• Any permitted conditioning and consequences are explained.
• Non‑conditioned scenarios are distinguished to avoid confusion.

Summary and Next Steps

To build a compliant HIPAA authorization, include: a precise description of PHI; named discloser and recipient; a clear purpose; an expiration date or event; signature and date; representative authority when applicable; a right‑to‑revoke statement; a redisclosure warning; and conditioning language. Review each element against your policies and state‑law nuances to keep your individual authorization accurate and up to date.

FAQs

What specific information must a HIPAA authorization describe?

It must provide a specific and meaningful description of the PHI authorized for use or disclosure. List categories (e.g., progress notes, labs, imaging, billing), date ranges, and any sensitive records that are included or excluded. Avoid vague terms; tie the scope to the stated purpose to support patient consent compliance.

How must the expiration date or event be defined?

You must state either a calendar date or a concrete event related to the individual or the purpose (for example, “December 31, 2026,” “end of litigation,” or “completion of the study”). The event should be objective and easy to determine so the covered entity can track authorization expiration and stop disclosures once it occurs.

What are the requirements for the right to revoke?

The authorization has to explain that the individual may revoke at any time in writing, describe how to submit the revocation (address, email, fax, or form), and note that revocation does not affect disclosures already made in reliance on the authorization. If a plan conditioned enrollment or eligibility on the authorization, mention any resulting limits on revocation in that specific context.

What warnings must be included about redisclosure?

The form must warn that information disclosed under the authorization may be subject to redisclosure by the recipient and may no longer be protected by HIPAA. You can also explain, in general terms, that other privacy laws may still protect certain information, but HIPAA’s protections typically do not follow the data once it leaves the covered entity via an individual authorization.