Which PHI Disclosures Require Written Authorization Under HIPAA?

Check out the new compliance progress tracker

Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA Which PHI Disclosures Require Written Authorization Under HIPAA?

Which PHI Disclosures Require Written Authorization Under HIPAA?

Kevin Henry

HIPAA

August 26, 2025

7 minutes read
Share this article
Which PHI Disclosures Require Written Authorization Under HIPAA?

Psychotherapy Notes Disclosure Requirements

Under the HIPAA Privacy Rule, psychotherapy notes receive heightened protection. These are the therapist’s separate notes analyzing a counseling session and kept apart from the medical record. Routine clinical information—medication details, session times, diagnoses, and treatment plans—is not “psychotherapy notes.”

As a covered entity, you generally must obtain a written authorization before using or disclosing psychotherapy notes. Limited exceptions apply, including use by the originator for treatment, training programs for mental health professionals, and disclosures needed to defend against a patient’s legal claim. Certain disclosures required by law, to health oversight agencies, to coroners or medical examiners, to HHS for compliance review, or to avert a serious and imminent threat may also proceed without authorization.

When an authorization is required for psychotherapy notes, it cannot be bundled with other permissions. Use a standalone form that clearly describes the notes being used or disclosed and the purpose.

Marketing Communications Authorization

Marketing communications are messages that encourage the purchase or use of a product or service. You may describe your own health-related products or services, coordinate care, or recommend alternative treatments without authorization when no third-party financial remuneration is involved.

If you or your business associate receive direct or indirect payment from a third party whose product or service is promoted, a written authorization is required. The authorization must state that you receive financial remuneration for the marketing communication. Refill reminders and adherence communications about a current prescription are permitted without authorization only when any payment is reasonably related to the cost of making the communication.

Remember: if an authorization is needed for marketing, it cannot be combined with other authorizations. Provide it in plain language and give the individual a copy once signed.

Sale of PHI and Authorization

The sale of PHI means an exchange of protected health information for direct or indirect remuneration. Except for narrow exceptions, you must obtain the individual’s written authorization before selling PHI, and that authorization must state that the disclosure results in remuneration.

Common exceptions include disclosures for public health, research (limited to cost-based fees for preparing or transmitting PHI), treatment and payment, business associate services where the only payment is for services rendered, sale or transfer of the covered entity as a business, and providing an individual with access to their own PHI. De-identified information is not PHI and is outside these requirements.

When in doubt, treat remuneration in exchange for identifiable data as a sale of PHI and secure a specific authorization that cannot be combined with any other permissions.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Specific Elements of HIPAA Authorizations

A valid HIPAA written authorization must be complete, specific, and understandable. Include these core authorization elements:

  • A meaningful description of the PHI to be used or disclosed.
  • Who may disclose the PHI and who may receive it (name or class of persons/organizations).
  • The purpose of the use/disclosure (or “at the request of the individual”).
  • An expiration date or event related to the individual or purpose (for research, an event such as “end of the study” is acceptable).
  • The individual’s signature and date; if a personal representative signs, note their authority.

Include these required statements:

  • The right to revoke the authorization in writing and how to do so, with limits on revocation where the covered entity has already relied on it.
  • Whether treatment, payment, enrollment, or eligibility is conditioned on the authorization (and the consequences of refusing, if applicable).
  • A notice that information disclosed may be subject to redisclosure by the recipient and may no longer be protected by HIPAA.

Special disclosures must add special statements: authorizations for marketing communications involving financial remuneration and for the sale of PHI must disclose that remuneration is involved. Authorizations for psychotherapy notes, for marketing with remuneration, and for sale of PHI cannot be combined with other permissions.

Use plain language, provide a copy to the individual, and keep the signed authorization. The minimum necessary standard does not apply to disclosures made pursuant to a valid authorization, but you should still disclose only what the authorization permits.

Exceptions to Authorization Requirements

HIPAA allows many uses and disclosures of PHI without written authorization. Key categories include:

  • Treatment, payment, and health care operations (TPO).
  • Disclosures to the individual, and to HHS for compliance investigations.
  • Public health activities, health oversight, and certain disclosures required by law.
  • Judicial and administrative proceedings, and specified law enforcement purposes.
  • To avert a serious threat to health or safety; for organ, eye, or tissue donation; and for workers’ compensation.
  • Research with an IRB/privacy board waiver or as a limited data set under a data use agreement.
  • Facility directories and disclosures to persons involved in care when the individual agrees or does not object.
  • Incidental disclosures that occur as a by-product of an otherwise permitted disclosure when reasonable safeguards and the minimum necessary are in place.

These exceptions have detailed conditions. Always confirm that an exception truly fits before proceeding without a written authorization.

HIPAA sets baseline federal rules; more stringent state laws (for example, mental health, HIV, genetic, or substance use data) control when they provide greater privacy. Verify both HIPAA and applicable state requirements before relying on any authorization.

An authorization is invalid if it is expired, lacks any core authorization elements, omits required statements, is known to be materially false, or is improperly combined with other authorizations where combination is prohibited. Individuals may revoke authorizations in writing, except to the extent you have already relied on them or when the authorization was a condition of obtaining insurance coverage and the insurer has certain rights.

Operationally, you should verify the requester’s identity, train staff on authorization elements, and retain authorizations for required recordkeeping periods. Disclose only what the authorization specifically permits, and document any revocation promptly.

In practice, ask yourself two questions: Does an exception clearly apply? If not, do I hold a complete, valid written authorization that matches the disclosure? Using this sequence protects individuals’ rights and your compliance posture under the HIPAA Privacy Rule.

FAQs

What types of PHI disclosures need written authorization?

You need a written authorization for uses or disclosures that are not permitted by HIPAA’s exceptions—most commonly: psychotherapy notes (with narrow exceptions), marketing communications that involve financial remuneration from a third party, and any sale of PHI. Many other discretionary disclosures outside treatment, payment, and operations also require authorization.

When is authorization not required under HIPAA?

No authorization is needed for treatment, payment, and health care operations; disclosures to the individual; many public health and oversight activities; certain court or law enforcement disclosures; to avert a serious threat; for organ donation and workers’ compensation; for HHS compliance; research with an approved waiver or limited data set agreement; and some care-partner or facility directory disclosures when the individual agrees or does not object.

What information must be included in a HIPAA authorization?

A valid authorization must describe the PHI, identify who may disclose and who may receive it, state the purpose, include an expiration date or event, and be signed and dated. It must also explain revocation rights, whether services are conditioned on signing (and any consequences), and warn that redisclosure may occur. If used for marketing communications with financial remuneration or for a sale of PHI, it must state that remuneration is involved.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...