When HIPAA Requires Authorization to Disclose Information: What the Authorization Must Include

Description of Protected Health Information

To meet HIPAA’s Privacy Rule Compliance, a Written Authorization must clearly describe the Protected Health Information (PHI) you plan to disclose. The description should be specific enough for both parties to understand exactly what will be shared and what will not.

Make your description precise by defining one or more of the following:

• Type of record: for example, “lab results,” “imaging reports,” or “billing statements.”
• Date range or encounter: for example, “records from March 1–June 30, 2025,” or “the hospitalization on April 14, 2025.”
• Data elements: for example, “diagnoses, medications, and discharge summary; excluding psychotherapy notes.”

The “minimum necessary” standard does not apply to disclosures made under an authorization; however, only the PHI explicitly described may be disclosed. Clear scoping protects individuals and reduces Redisclosure Risks by limiting what leaves the record set.

Identification of Disclosing Party

The authorization must identify who is allowed to disclose the PHI. Name the covered entity (such as the health system, clinic, or physician practice) and, if relevant, the specific department or site that holds the records.

If a business associate maintains the records on the entity’s behalf, identify that party as well. Listing full legal names and contact details supports Privacy Rule Compliance and prevents confusion when multiple providers are involved.

Identification of Receiving Party

The authorization must also identify who may receive the PHI. You may name a specific person, an organization, or a class of recipients (for example, “any treating provider” or “the individual’s attorney”).

Be explicit. If PHI will be shared with multiple recipients for different purposes, list them or describe the class for each. Remember that some recipients may not be subject to HIPAA, which can increase Redisclosure Risks if they further share the information.

Stating the Purpose of Disclosure

State why the PHI is being disclosed. Acceptable purposes include insurance claims, legal proceedings, employment-related accommodations, or research activities. If there is no specific purpose beyond the person’s request, you may state “at the request of the individual.”

A clear purpose helps the recipient use the information responsibly and ensures the disclosure aligns with Privacy Rule Compliance. It also guides you when applying any limits described in the authorization.

Specifying Expiration Date or Event

Every authorization must include an Authorization Expiration—either a calendar date or a specific event related to the purpose (for example, “upon resolution of claim number X” or “one year from the signature date”).

Choose an expiration that fits the need without remaining open-ended longer than necessary. For certain research uses, an event-based expiration such as “end of the research study” may be appropriate where permitted. When the expiration occurs, no further disclosures may be made under that authorization.

Obtaining Individual's Signature

The authorization must be signed and dated by the individual before disclosure. Electronic signatures are acceptable if your process reliably captures identity and intent. Always provide the individual with a copy of the signed Written Authorization.

If a Personal Representative signs (for example, a parent, legal guardian, or someone with healthcare power of attorney), the authorization must describe the Personal Representative Authority. Keep signatures legible and in plain language so individuals clearly understand what they are permitting.

Notifying Individual of Rights and Conditions

HIPAA requires specific notices so individuals understand their choices and protections:

• Revocation Rights: You must inform the individual that they may revoke the authorization at any time, in writing, and explain how to submit revocation. Revocation does not affect disclosures already made in reliance on the authorization.
• Conditions of Treatment/Benefits: State whether signing is a condition of receiving treatment, payment, enrollment, or eligibility for benefits. In most situations it is not; limited exceptions may apply (for example, certain research-related treatment).
• Redisclosure Risks: Warn that PHI disclosed to a recipient may be redisclosed and no longer protected by HIPAA, depending on the recipient’s obligations.

Include these statements in clear, concise language to promote Privacy Rule Compliance and informed decision-making.

FAQs

When is HIPAA authorization required for disclosing information?

An authorization is required for any use or disclosure of PHI not otherwise permitted or required by the Privacy Rule—commonly for disclosures to third parties like employers, attorneys, or insurers at the individual’s request; for most marketing uses; for sale of PHI; for research that does not have an IRB or privacy board waiver; and for most uses of psychotherapy notes. When in doubt, obtain a Written Authorization.

What elements must be included in a HIPAA authorization?

Core elements are: a description of the PHI to be disclosed; identification of the disclosing party; identification of the receiving party; the purpose of disclosure or “at the request of the individual”; an Authorization Expiration (date or event); and the individual’s signature and date (including Personal Representative Authority when applicable). Required notices include Revocation Rights, whether signing is a condition of treatment/benefits, and Redisclosure Risks.

How can an individual revoke a HIPAA authorization?

The individual may revoke by sending a written request to the covered entity identified on the authorization (for example, the provider’s privacy office). After the revocation is received, no further disclosures may be made under that authorization, except to the extent the disclosing party has already relied on it or where other laws require retention or use.

What happens if information is redisclosed after authorization?

Once PHI is disclosed to a recipient not governed by HIPAA, it may be subject to Redisclosure Risks and could lose HIPAA protections. The recipient’s own obligations (for example, professional, contractual, or state-law duties) may still apply, but HIPAA may no longer control the information. Limiting the scope of PHI and setting a clear expiration can reduce risk.