What Does a HIPAA Authorization Require? Core Elements, Required Statements, and Compliance Checklist

Core Elements of a HIPAA Authorization

Specific description of information

Your authorization must clearly describe the Protected Health Information (PHI) to be used or disclosed. Identify data types (for example, lab results, imaging reports, billing records) and the date range when applicable. Avoid vague phrases like “all records” unless that breadth is truly intended and necessary.

Who may disclose and who may receive

Name or specifically identify the person or entity authorized to disclose the PHI (such as a hospital or physician practice) and the person or entity permitted to receive it (for example, a law firm, employer, researcher, or a named individual). Use precise identifiers to prevent accidental disclosures.

Purpose of the use or disclosure

State why the PHI is being used or disclosed (for example, coordination of care, legal review, insurance underwriting, or research). If the individual simply wants the disclosure, “at the request of the individual” is acceptable.

Expiration date or event

Include a definite expiration date or a specific event tied to the purpose (for example, “one year from signature” or “at the end of the study”). Open-ended authorizations are not compliant.

Signature and date

The form must be a Written Authorization bearing the individual’s signature and the date signed. If using electronic signatures, ensure your method can verify identity and preserve integrity of the record.

If signed by a Personal Representative

When a Personal Representative signs (for example, a parent of a minor or a health care agent), the authorization must describe their authority to act for the individual or their relationship to the individual.

Required Statements in a HIPAA Authorization

Revocation Rights

The form must inform individuals that they may revoke the authorization at any time, how to revoke (for example, in writing to the Privacy Officer), and that revocation does not affect disclosures already made in reliance on the authorization.

Conditioning statement

State whether the covered entity will condition treatment, payment, enrollment, or eligibility for benefits on signing the authorization. Generally, you may not condition these activities on an authorization, except in limited cases such as research-related treatment or services provided solely to create PHI for a third party.

Redisclosure Notice

Explain that PHI disclosed under an authorization may be subject to redisclosure by the recipient and may no longer be protected by HIPAA. Encourage recipients to safeguard information, but make clear that HIPAA protections might not follow the data once it leaves the covered entity.

Additional Requirements for HIPAA Authorization

Plain Language Standard

Authorizations must be written in plain language that an average reader can understand. Use short sentences, familiar words, and a logical layout. Avoid legal jargon and define any necessary technical terms.

Special categories and purposes

Certain uses require heightened clarity or separate permissions. Psychotherapy notes typically require a distinct authorization. Authorizations for marketing or for the sale of PHI must clearly describe the activity and, if applicable, disclose any financial remuneration involved.

Minimum necessary and scope

The minimum necessary rule does not limit disclosures made pursuant to an authorization; however, you should disclose only the PHI described in the form. Review the scope to ensure it matches the stated purpose.

Copies and availability

Upon request, provide the individual a copy of the signed authorization. Keep blank forms readily available and easy to access, and make sure staff know how to help individuals complete them correctly.

Form integrity and separability

Do not combine an authorization with other documents if it would confuse the individual or obscure key choices. Where combined documents are permitted (for example, certain research contexts), keep the authorization language prominent and unambiguous.

Compliance Checklist for HIPAA Authorizations

• Identify the PHI precisely (types and date range) and avoid ambiguous catch-all language.
• Name the disclosing party and the recipient with specific identifiers.
• State the purpose, or use “at the request of the individual” when appropriate.
• Include a clear expiration date or event tied to the purpose.
• Obtain a valid signature and date; verify identities for electronic signatures.
• If a Personal Representative signs, describe their authority or relationship.
• Insert required statements on Revocation Rights, conditioning, and the Redisclosure Notice.
• Write in compliance with the Plain Language Standard; no confusing legalese.
• Provide a copy of the signed form to the individual upon request.
• Confirm the scope matches the purpose; disclose only what the authorization covers.
• Implement Authorization Retention Requirements and secure storage (paper and electronic).
• Train staff to review forms for completeness before any disclosure occurs.

Common Pitfalls to Avoid in HIPAA Authorizations

• Missing or vague description of PHI, leading to overbroad disclosures.
• No expiration date or an event that is not objectively determinable.
• Forgetting required statements about Revocation Rights or the Redisclosure Notice.
• Conditioning care or benefits on signing when not permitted.
• Allowing a Personal Representative to sign without documenting their authority.
• Combining the authorization with other forms in ways that confuse the individual.
• Failing to provide a copy of the signed authorization upon request.
• Not training staff to validate completeness before releasing information.

Document Retention and Access Protocols

Authorization Retention Requirements

Maintain signed authorizations and related documentation for at least six years from the date of creation or the date when last in effect, whichever is later. Apply your organization’s record schedule if it is longer, and ensure consistent retention across paper and electronic systems.

Access, copies, and verification

Make a copy of the signed authorization available to the individual on request. Implement identity verification procedures before disclosing PHI, and confirm that the authorization is current, complete, and has not been revoked.

Logging and accounting

Track disclosures operationally for quality and audit readiness. While disclosures made with an individual’s authorization generally do not require inclusion in a HIPAA accounting of disclosures, internal logs support incident response and compliance reviews.

Security, storage, and disposal

Secure authorizations as PHI: restrict access, use role-based controls, and encrypt electronic records at rest and in transit where feasible. At the end of the retention period, dispose of records using approved destruction methods that prevent reconstruction.

Taken together, these elements, statements, and safeguards help you create a compliant, usable authorization process that protects individuals while enabling appropriate information sharing.

FAQs

What specific information must a HIPAA authorization include?

It must specify the PHI to be used or disclosed, identify who may disclose and who may receive it, state the purpose, include an expiration date or event, and contain the individual’s signature and date. If a Personal Representative signs, the form must describe their authority. It must also include required statements about Revocation Rights, conditioning, and a Redisclosure Notice.

How can an individual revoke a HIPAA authorization?

They can revoke at any time by sending a written notice to the covered entity (for example, the Privacy Officer or listed contact on the form). Revocation applies going forward and does not undo disclosures already made in reliance on the authorization.

Are HIPAA authorizations required to be in plain language?

Yes. The Plain Language Standard requires that the authorization be understandable to an average reader. Use clear wording, short sentences, and direct instructions so individuals can make informed choices.

What happens if information is redisclosed by the recipient?

PHI disclosed under an authorization may be redisclosed by the recipient and may no longer be protected by HIPAA. The Redisclosure Notice alerts individuals to this risk; however, other laws or agreements may still protect the information depending on the context.