What Is a HIPAA Authorization Form? Definition, What It Covers, and When You Need One

Definition of HIPAA Authorization Form

A HIPAA authorization form is your written permission allowing a covered entity—such as a doctor, hospital, or health plan—to use or disclose your Protected Health Information (PHI) for a purpose not otherwise allowed by the HIPAA Privacy Rule. Think of it as a targeted PHI disclosure consent that you control.

Authorizations are used for situations like sending records to a non-treating third party, sharing information for marketing, or releasing psychotherapy notes. You decide what gets shared, with whom, and why. You can also sign a research use authorization that lets a study team use or obtain your PHI for a specific project or for future research, as permitted.

How it differs from general consent

General consent typically covers routine care, billing, and health care operations. A HIPAA authorization form is different: it is only needed when the intended use or disclosure falls outside those routine activities. Without your authorization—or a separate legal permission—those uses and disclosures cannot happen.

Required Elements of the Form

To be valid, a HIPAA authorization must be in plain language and include specific elements. Review these carefully before you sign:

• Description of the information to be used or disclosed (for example, “all clinic notes from 2023–2025,” “lab results,” or “imaging reports”).
• Who is authorized to disclose the information (for example, a named clinic or provider).
• Who may receive the information (a person, company, research team, or category of recipients).
• The purpose of the disclosure (for example, legal review, life insurance application, research study, or personal use).
• An expiration date or event (for example, “one year from the date signed” or “end of the study”).
• Your signature and date, or your personal representative’s signature if applicable.
• A statement of your right to revoke the authorization in writing and how to exercise it.
• Notice that information disclosed to a non–HIPAA-covered recipient may be re-disclosed and no longer protected by HIPAA.
• A statement that treatment, payment, or coverage is not conditioned on signing, with narrow exceptions (such as certain research-related treatment or services provided solely to create information for a third party).
• Special statements when applicable, such as:
  • Marketing use consent (acknowledging marketing communications) or sale of PHI—these require explicit authorization.
  • Psychotherapy notes—these require a distinct, specific authorization separate from other records.

Good practices before signing

• Confirm the minimum necessary scope by limiting what is described to exactly what is needed.
• Verify the recipient and purpose match your intent.
• Keep a copy of the signed authorization for your records.

When Authorization Is Required

You generally need a HIPAA authorization form for uses or disclosures that are not part of treatment, payment, or health care operations. Common examples include:

• Marketing communications that promote a product or service, except for face-to-face interactions or promotional gifts of nominal value.
• Sale of PHI or disclosures that involve payment to the covered entity for the information.
• Disclosure of psychotherapy notes, which receive special protection and require a separate authorization.
• Sending PHI to a non-treating third party such as an employer, school, attorney, or insurer for non-payment purposes.
• Research activities that use identifiable PHI when no IRB/privacy board waiver applies and the data are not de-identified or limited to a data set with an appropriate agreement.

Signals you should ask for an authorization

• The request comes from outside your care team or health plan’s routine operations.
• You are offered something of value for your information.
• The request includes psychotherapy notes or “complete copy of the entire chart” for non-treatment reasons.

When Authorization Is Not Required

The HIPAA Privacy Rule allows many essential uses and disclosures of PHI without an authorization. In these cases, you may still receive a notice or be given the chance to agree or object, but a formal authorization is not required:

• Treatment, payment, and health care operations within or among covered entities.
• Your right of access to your own PHI, including directing records to a person or app of your choice.
• Disclosures to family, friends, or others involved in your care or payment, when you agree or do not object and it is consistent with applicable law.
• Public health activities, health oversight, and certain law enforcement or judicial requirements, as well as disclosures required by law.
• Organ and tissue donation, coroners/medical examiners, and certain workers’ compensation programs as permitted.
• De-identified information and limited data sets shared under a data use agreement.

Practical tip

If the purpose is routine care or payment, an authorization usually is not needed. If it is outside those purposes—especially marketing, sale of PHI, or psychotherapy notes—expect to see an authorization form.

Revocation of Authorization

You can exercise authorization revocation at any time by submitting a written request to the covered entity identified in your form. The revocation stops future use or disclosure under that authorization once processed, but it does not undo actions already taken in reliance on your prior permission.

How to revoke effectively

• Follow the “how to revoke” instructions on the form (address, email, portal, or fax).
• Identify the specific authorization you are revoking and the date signed.
• Ask for written confirmation that the revocation was received and the date it takes effect.

Special considerations

• For research, revocation may require withdrawing from the study, and the study may continue using data already collected as allowed by law and the authorization.
• If a business associate received your PHI under the authorization, the covered entity must relay the revocation so future reliance stops.

Impact of Not Signing Authorization

If you choose not to sign, the requested use or disclosure generally will not occur. Covered entities usually cannot deny treatment, payment, or benefits because you refused to sign, except in narrow cases such as research-related treatment or services provided solely to create information for a third party (for example, a life insurance exam report).

Declining to sign may limit non-clinical services—for example, you might not receive marketing communications or a third party may not get your records for a non-treatment purpose. Your right to access your own PHI remains intact, and you can still direct your records to a recipient of your choice under your access right.

Conclusion

A HIPAA authorization form puts you in control of how your PHI is used beyond routine care and operations. Know the required elements, limit the scope to what is necessary, and sign only when the purpose and recipient make sense. Remember, you can revoke later, and refusing to sign usually does not affect your care.

FAQs

What information must be included in a HIPAA authorization form?

A valid form lists what PHI will be used or disclosed, who may disclose it, who will receive it, the purpose, an expiration date or event, your signature and date, your right to revoke, and a notice about potential re-disclosure once information leaves HIPAA coverage. Special statements are required for psychotherapy notes, marketing use consent, and sale of PHI.

When is a HIPAA authorization form required?

You need one when the use or disclosure falls outside treatment, payment, and health care operations—common examples are marketing, sale of PHI, releasing psychotherapy notes, sending records to non-treating third parties, or certain research activities without a waiver or de-identification.

Can I revoke a HIPAA authorization after signing?

Yes. You may revoke in writing at any time, following the instructions on the form. Revocation stops further use or disclosure under that authorization once processed, but it does not affect actions already taken in reliance on your prior authorization.

What happens if I refuse to sign a HIPAA authorization form?

In most cases, nothing changes about your care, payment, or coverage. The specific use or disclosure you declined will not happen, though certain narrow exceptions exist (such as research-related treatment or services meant solely to create information for a third party). You still retain full access to your own PHI.