What is a HIPAA Authorization Form?

The HIPAA Privacy Rule requires that an individual provide signed authorization to a covered entity, before the entity may use or disclose certain protected health information (PHI). 

Under the Privacy Rule and in accordance with the minimum standards, doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities may use or disclose PHI (e.g.,  protected health information, X-rays, laboratory and pathology reports, diagnoses, and other medical information) without the patient’s authorization, for treatment purposes.

HIPAA Authorization Form

A HIPAA authorization form gives covered entities permission to use protected health information for purposes other than treatment, payment, or health care operations. Continue reading to find out what authorization to disclose health information is needed.

When Must HIPAA Authorization be Obtained?

HIPAA regulations outline the uses and disclosures of PHI that require an authorization be obtained from a patient/plan member before that person’s PHI can be shared or used. HIPAA Authorization forms are required before:

  • The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
  • The covered entity can use or disclosure of PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
    • Note: Prior authorization for marketing is not required when:
      • Communication occurs face to face between the covered entity and the individual; or 
      • When the communication involves a promotional gift of nominal value.

What Information Must a HIPAA Authorization Contain to be Valid?

The law requires that a HIPAA authorization form contain specific “core elements” to be valid. In a HIPAA agreement form, these elements include:

  • A description of the specific information to be used or disclosed.
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  • The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
  • A description of each purpose of the requested use or disclosure
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure
    • The signature of the individual, and the date. 

What Required Statements Must the HIPAA Authorization Form Contain?

In addition to the core elements, the HIPAA authorization must contain statements adequate to place the individual on notice of all of the following:

  • The individual‘s right to revoke the authorization in writing
  • The exceptions to the right to revoke (an individual may revoke an authorization in writing except when the covered entity has taken action in reliance on the authorization).
  • The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization, except that: 
    • A covered health care provider may condition the provision of research-related treatment on provision of an authorization for such research
    • A health plan may, to make eligibility or enrollment determinations, may condition enrollment in the health plan or eligibility for benefits on provision of an authorization.
  • The potential for information disclosed in to the authorization to be subject to HIPAA redisclosure by the recipient and no longer be protected by the Privacy Rule. 

HIPAA regulations also require that the HIPAA authorization must be written in plain language on the HIPAA form.

In addition, whenever a covered entity seeks a HIPAA authorization from an individual for a PHI use or disclosure, the covered entity must provide the individual with a copy of the signed HIPAA form authorization.

Let’s Simplify Compliance

A HIPAA authorization form is a small part of compliance. We help you with all your HIPAA requirements.