What is a HIPAA Authorization Form?

The HIPAA Privacy Rule requires that an individual provide signed authorization to a covered entity, before the entity may use or disclose certain protected health information (PHI). 


Under the Privacy Rule, doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities may use or disclose PHI (e.g.,  protected health information, X-rays, laboratory and pathology reports, diagnoses, and other medical information) without the patient’s authorization, for treatment purposes.

A HIPAA authorization form gives covered entities permission to use protected health information for purposes other than treatment, payment, or health care operations. 

When Must HIPAA Authorization be Obtained?

HIPAA regulations outline the uses and disclosures of PHI that require an authorization be obtained from a patient/plan member before that person’s PHI can be shared or used. Authorization is required before:

  • The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
  • The covered entity can use or disclosure of PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
    • Note: Prior authorization for marketing is not required when:
      • Communication occurs face to face between the covered entity and the individual; or 
      • When the communication involves a promotional gift of nominal value.

What Information Must a HIPAA Authorization Contain to be Valid?


The law requires that a HIPAA authorization form contain specific “core elements” to be valid. These elements include:

  • A description of the specific information to be used or disclosed.
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  • The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
  • A description of each purpose of the requested use or disclosure
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure
    • The signature of the individual, and the date. 

What Required Statements Must the HIPAA Authorization Form Contain?


In addition to the core elements, the HIPAA authorization must contain statements adequate to place the individual on notice of all of the following:

  • The individual‘s right to revoke the authorization in writing
  • The exceptions to the right to revoke (an individual may revoke an authorization in writing except when the covered entity has taken action in reliance on the authorization).
  • The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization, except that: 
    • A covered health care provider may condition the provision of research-related treatment on provision of an authorization for such research
    • A health plan may, to make eligibility or enrollment determinations, may condition enrollment in the health plan or eligibility for benefits on provision of an authorization.
  • The potential for information disclosed in to the authorization to be subject to redisclosure by the recipient and no longer be protected by the Privacy Rule. 

HIPAA regulations also require that the HIPAA authorization must be written in plain language.

In addition, whenever a covered entity seeks a HIPAA authorization from an individual for a PHI use or disclosure, the covered entity must provide the individual with a copy of the signed authorization.

What About Psychotherapy Notes?

The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session. These notes are  separate from the rest of the patient’s medical record

Psychotherapy notes do not include any information about:

  • Medication prescription and monitoring
  • Counseling session start and stop times
  • The modalities and frequencies of treatment furnished
  • Results of clinical tests.
  • Summaries of diagnosis
  • Functional status
  • Treatment plans
  • Symptoms 
  • Prognosis
  • Progress to date
  • Information maintained in a patient’s medical record

Psychotherapy notes contain particularly sensitive information. These notes constitute the personal notes of the therapist – notes that that usually are not required or useful for treatment, payment, or health care operations purposes (other than by the mental health professional who created the notes)

Therefore, the Privacy Rule generally requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes

What about Substance Abuse Disorders?

Generally, covered entities cannot use or disclose substance abuse and treatment records, without patient authorization.

There are two exceptions to this rule:

For the particular purpose of treating a patient with a substance abuse disorder, HIPAA permits disclosure of protected health information (PHI) without patient consent. PHI may also be used or disclosed without patient authorization to lessen a threat of serious and imminent harm to the health or safety of the patient or others.