Authorization for Uses and Disclosures of PHI

A covered entity must obtain the individual’s written authorization for any uses and disclosures of PHI (protected health information) that are not for treatment, payment or health care operations, or otherwise permitted or required by the HIPAA Privacy Rule.

A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.

An individual’s authorization may permit the use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party.

All authorization forms used by a patient permitting uses and disclosures of PHI must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, the expiration date of the authorization, and the right to revoke the authorization in writing.

When Must Patient Authorization be Obtained for Uses and Disclosures of PHI?

Authorizations are generally required for psychotherapy notes, substance abuse disorder and treatment records, and for marketing purposes.

Psychotherapy Notes 

The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session. These notes are separate from the rest of the patient’s medical record

Psychotherapy notes do not include any information about:

  • Medication prescription and monitoring
  • Counseling session start and stop times
  • The modalities and frequencies of treatment furnished
  • Results of clinical tests.
  • Summaries of diagnosis
  • Functional status
  • Treatment plans
  • Symptoms 
  • Prognosis
  • Progress to date
  • Information maintained in a patient’s medical record

Psychotherapy notes contain particularly sensitive information. These notes constitute the personal notes of the therapist – notes that usually are not required or useful for treatment, payment, or health care operations purposes (other than by the mental health professional who created the notes)

Therefore, the Privacy Rule generally requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes

A covered entity need not obtain authorization to use or disclose psychotherapy notes:

    • For its own training; 
    • To defend itself in legal proceedings brought by the individual;
    • For HHS to investigate or determine the covered entity’s compliance with the Privacy Rule;
    • To avert a serious and imminent threat to public health or safety;
    • To a health oversight agency for lawful oversight of the originator of the psychotherapy notes; and
    • For the lawful activities of a coroner or medical examiner.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Substance Abuse Disorder and Treatment Records

Generally, covered entities cannot use and disclose substance abuse disorder and treatment records, without patient authorization.

There are two exceptions to this rule:

For the particular purpose of treating a patient with a substance abuse disorder, HIPAA permits disclosure of protected health information (PHI) without patient consent. PHI may also be used or disclosed without patient authorization to lessen a threat of serious and imminent harm to the health or safety of the patient or others.


Marketing is defined as any communication about a product or service that encourages recipients to purchase or use the product or service. The Privacy Rule carves out the following health-related activities from this definition of marketing:

  • Communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the covered entity making the communication;
  • Communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan’s enrollees that add value to, but are not part of, the benefits plan;
  • Communications for treatment of an individual; and
  • Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.

Marketing is also defined under the Privacy Rule as an arrangement between a covered entity and any other entity in which the covered entity discloses protected health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services.

A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value.

No authorization is needed to make a communication that falls within one of the exceptions to the marketing definition.

An authorization for marketing that involves the covered entity’s receipt of direct or indirect remuneration from a third party must reveal that fact.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image