When Is a HIPAA Authorization Required? Scenarios, Exceptions, and Examples

HIPAA Authorization Requirement

You must obtain a signed HIPAA authorization before using or disclosing Protected Health Information (PHI) for purposes not otherwise permitted by the Privacy Rule. This is a core element of Privacy Rule Compliance and part of your obligations as a covered entity.

Authorizations are patient-directed permissions that precisely describe what information may be used or disclosed, to whom, for what purpose, and for how long. When you rely on an authorization, the minimum necessary rule does not apply; instead, you disclose only what the authorization specifically allows.

What a valid HIPAA authorization must include

• Specific description of the PHI to be used or disclosed.
• Name or other specific identification of the person(s) authorized to make the disclosure and the recipient.
• Purpose of the use or disclosure (or “at the request of the individual”).
• Expiration date or event that relates to the individual or the purpose.
• Signature and date of the individual (or personal representative) and a description of authority if signed by a representative.
• Statements about the right to revoke, potential for redisclosure, and whether treatment, payment, enrollment, or eligibility is conditioned on signing (with the limited circumstances when conditioning is allowed).
• Additional statements when the purpose is marketing or the sale of PHI, including any financial remuneration.

Common scenarios that require authorization

• Marketing not covered by an exception, especially when financial remuneration is involved.
• Sale of PHI or exchanges of PHI for remuneration beyond cost-based fees.
• Most research uses or disclosures when no IRB/Privacy Board waiver applies.
• Disclosures to employers, media outlets, or life insurers at the individual’s request.
• Psychotherapy Notes Authorization for disclosures beyond narrow regulatory exceptions.

Exceptions to Authorization Requirement

HIPAA permits many uses and disclosures without an authorization. You still must apply the minimum necessary standard (when applicable), verify requestors, and document decisions to maintain Privacy Rule Compliance.

Permitted uses and disclosures without authorization (high-level)

• Treatment, Payment, and Healthcare Operations (TPO).
• Public health activities and Public Health Reporting as authorized by law.
• Health oversight activities, audits, and HHS investigations.
• Judicial and administrative proceedings subject to Legal Disclosure Requirements.
• Law enforcement purposes within defined limits.
• Disclosures to avert a serious threat to health or safety using professional judgment.
• Workers’ compensation programs as authorized by law.
• Research with an IRB/Privacy Board waiver or a limited data set with a data use agreement.
• Disclosures to family, friends, or others involved in care or payment, and facility directories, when conditions are met.
• De-identified data and limited data sets (with proper safeguards).

Treatment Payment and Healthcare Operations

You may use and disclose PHI for TPO without getting an authorization. These routine activities keep care moving while protecting privacy through role-based access and minimum necessary (for payment and operations).

Treatment

• Consulting with or referring to other providers.
• Coordinating care across settings (e.g., hospital to rehab facility).
• Sharing medication histories with a treating provider.

Payment

• Eligibility checks, prior authorizations, claims submission, and appeals.
• Billing third-party payers and collection activities.
• Medical necessity and utilization review.

Healthcare operations

• Quality assessment, patient safety activities, and outcomes evaluation.
• Accreditation, licensing, and credentialing.
• Business associate functions performed under a business associate agreement.
• Limited fundraising communications with required notices and opt-out mechanisms.

Marketing Communications Restrictions

• Marketing generally requires authorization, especially when you receive financial remuneration.
• Exceptions include face-to-face communications and nominal promotional gifts.
• Refill reminders or adherence communications are permitted if any remuneration is reasonably related to the communication’s cost.

Psychotherapy notes within TPO?

Psychotherapy notes are treated differently from general PHI. You typically need a Psychotherapy Notes Authorization to use or disclose them, even for treatment by another provider, with narrow exceptions described below.

Public Health Activities

You may disclose Protected Health Information (PHI) for public health purposes without authorization when permitted or required by law. This supports disease prevention, surveillance, and safety monitoring while maintaining Privacy Rule Compliance.

Public Health Reporting

• Reporting communicable diseases, conditions, and vital events to public health authorities.
• Notifying individuals who may have been exposed to a communicable disease.
• Reporting adverse events, product defects, or post-market surveillance information to regulators.
• Workplace-related illness or injury reporting to employers as allowed by law.
• School immunization disclosures with appropriate permissions as permitted by law.

Examples

• Submitting a positive tuberculosis report to a state health department.
• Providing vaccine lot and reaction details to regulators for safety monitoring.

Judicial and Administrative Proceedings

HIPAA allows disclosures of PHI in legal processes under strict conditions. Before releasing data, confirm the Legal Disclosure Requirements and document your analysis as part of Covered Entity Obligations.

What to verify

• Court or administrative order: disclose only the PHI expressly authorized.
• Subpoena, discovery request, or other legal demand without an order: obtain satisfactory assurances (e.g., patient notice or protective order) or seek patient authorization.
• Responding to litigation where you are a party: disclose only what is necessary and permitted.

Examples

• Producing limited records under a judge’s order for a malpractice case.
• Responding to a subpoena after the requesting party provides proof of patient notice and no objections.

Law Enforcement Purposes

Disclosures to law enforcement may occur without authorization in specific, narrowly tailored situations. Apply the minimum necessary standard and record the disclosure when required.

Permitted scenarios

• When required by law (e.g., reporting certain wounds or injuries).
• In response to a court order, warrant, or subpoena meeting HIPAA conditions.
• To identify or locate a suspect, fugitive, material witness, or missing person (limited identifying information only).
• About a crime victim with the individual’s agreement, or when the individual cannot agree and other criteria are met.
• Information about a decedent when death may have resulted from criminal conduct.
• Evidence of a crime that occurred on your premises.
• During a medical emergency off premises, when necessary to report a crime, the location of the crime, or the perpetrator.

Examples

• Sharing limited identifiers to help police locate a missing person treated in your ER.
• Reporting a gunshot wound as required by state law.

Emergencies and Incapacity

When a patient is incapacitated or in an emergency, you may share PHI with family, friends, or caregivers involved in care or payment if it is in the patient’s best interests. Provide the patient an opportunity to agree or object when they regain capacity.

Disaster relief organizations may receive patient location and status to coordinate notifications. You also may disclose PHI to avert a serious and imminent threat to health or safety, consistent with professional judgment and applicable law.

Psychotherapy notes: narrow exceptions

• Use by the originator for treatment.
• Use or disclosure for training programs under the originator’s supervision.
• Use or disclosure to defend a legal action or proceeding brought by the individual.
• Disclosures required by law or for oversight of the originator’s practice.
• Disclosures to health oversight agencies and to HHS for compliance investigations.
• To prevent or lessen a serious and imminent threat, when permitted by law.

Conclusion and Key Takeaways

• Obtain authorization for non-permitted uses, including most marketing, sale of PHI, and disclosures of psychotherapy notes.
• Leverage exceptions for TPO, public health, legal processes, law enforcement, and emergencies—always verify conditions and document.
• Apply minimum necessary, except where not required, and align processes with Privacy Rule Compliance and Covered Entity Obligations.

FAQs.

When must a covered entity obtain HIPAA authorization?

You must obtain a HIPAA authorization when a use or disclosure of PHI is not otherwise permitted by the Privacy Rule. Common examples include most marketing activities with financial remuneration, sale of PHI, many research disclosures without a waiver, and most disclosures of psychotherapy notes.

What types of PHI disclosures are exceptions to authorization?

Key exceptions include Treatment, Payment, and Healthcare Operations; public health activities; health oversight; certain judicial and administrative disclosures; defined law enforcement purposes; workers’ compensation programs; disclosures to family or others involved in care under specified conditions; and research with a waiver or a limited data set with a data use agreement.

Can PHI be used without authorization for law enforcement purposes?

Yes, in limited circumstances—such as when required by law, in response to a qualifying court order or subpoena, to locate a suspect or missing person (limited identifiers), for crimes on the premises, for emergencies off premises, or when the victim agrees or cannot agree and other criteria are met.

Is authorization required for disclosing psychotherapy notes?

Generally yes. Psychotherapy notes require a distinct Psychotherapy Notes Authorization, except for narrow situations like use by the originator, training, defense of legal actions, required-by-law disclosures, oversight of the originator, disclosures to HHS, and to prevent or lessen a serious and imminent threat.