HIPAA Authorization vs Consent: What's the Difference?

The confusion between a HIPAA Authorization and a treatment consent form shows up regularly in clinic privacy reviews. Staff present patients with a form and call it a “HIPAA form.” Patients sign it without understanding whether they are consenting to treatment, consenting to a specific use of their records, or acknowledging a privacy policy.

These are different things. Conflating them creates documentation gaps and, in some situations, exposes the clinic to a claim that an impermissible disclosure was made.

What a HIPAA Authorization Is

A HIPAA Authorization is a written document, signed by the patient or the patient’s personal representative, that permits a covered entity to use or disclose PHI for a purpose that falls outside the categories that HIPAA permits without patient consent.

The governing regulation is 45 CFR §164.508. It defines when an Authorization is required, what the Authorization must contain, and what restrictions apply to Authorizations.

Authorizations are required for uses and disclosures that are not otherwise permitted under HIPAA — most commonly:

• Sharing records with an employer, insurer, or attorney at the patient’s request
• Using PHI for marketing purposes (subject to specific exceptions)
• Selling PHI (with narrow exceptions)
• Using PHI in research not covered by an Institutional Review Board waiver
• Sharing PHI with family members or friends beyond what is permitted under the minimum necessary standard for care discussions
• Sharing psychotherapy notes (which require an Authorization even when other mental health records would be covered by TPO)

An Authorization is not a general consent to treatment. It is a permission slip for a specific act.

The Eight Required Elements of a Valid HIPAA Authorization

45 CFR §164.508(c)(1) specifies eight elements that a valid Authorization must contain. An Authorization missing any of these is defective and cannot support a permissible disclosure.

1. A description of the information to be used or disclosed. The description must be specific enough that both the covered entity and the patient understand exactly what information is covered. “All my medical records” is generally acceptable. “My records related to my February 2026 visit” is more specific. Overly vague descriptions create ambiguity about scope.

2. The name or class of persons authorized to make the use or disclosure. Who is the disclosing party? For most clinic authorizations, this is the covered entity itself. If the Authorization covers a specific department or provider within a health system, name it.

3. The name or class of persons authorized to receive the information. To whom may the disclosure be made? Name the person, organization, or class of recipient specifically. “My attorney” without a name may be acceptable for a narrow disclosure; “any requesting party” is not a valid class.

4. A description of each purpose of the requested use or disclosure. Why is the information being disclosed? The patient’s own request is a sufficient purpose. If the use is for marketing, the Authorization must state that the covered entity may receive remuneration for the disclosure (if applicable) and must specifically describe the intended marketing use.

5. An expiration date or expiration event. Every Authorization must have a time limit. The expiration may be a specific date (“This Authorization expires on December 31, 2026”) or a defined event (“This Authorization expires at the conclusion of the referenced research study”). An Authorization with no expiration term at all is defective.

6. The signature of the individual and date. The individual (or their legally authorized personal representative) must sign and date the Authorization. Electronic signatures may be acceptable depending on applicable state law and the clinic’s electronic records policies.

The regulation also requires two additional elements that are essentially statements of patient rights:

7. A statement that the individual may revoke the Authorization in writing and a description of how to do so, plus a statement of any exceptions to the right of revocation (principally, that revocation cannot undo disclosures already made in reliance on the Authorization).

8. A statement that the covered entity may not condition treatment or payment on whether the individual signs the Authorization, except in the specific cases where conditioning is permitted under §164.508(b)(4) (such as research-related treatment or eligibility for health plan enrollment).

These elements must all appear in a single document. Supplementing a deficient Authorization with a verbal explanation does not cure the defect.

What Treatment Consent Is and Why It Is Different

Treatment consent — also called informed consent — is a separate legal and ethical requirement. It is not a HIPAA document. It is governed by state law and medical ethics standards, and it protects a different set of patient rights.

Treatment consent documents the patient’s agreement to receive a proposed medical procedure or course of treatment. It requires the patient to receive information about the nature of the procedure, material risks, alternatives, and the right to refuse. A patient who consents to a procedure is authorizing their physician to perform it — not authorizing the sharing of records about it.

A HIPAA Authorization, by contrast, does not authorize any clinical action. It authorizes information flows.

Giving a patient a HIPAA Authorization form and calling it a “consent form” — or giving them a treatment consent form and telling them it also authorizes record sharing — produces a document that may not satisfy either legal standard.

Keep these documents separate. Use HIPAA Authorizations for information disclosures. Use treatment consent forms for clinical procedures. Train staff on the difference.

The TPO Exception: When Authorization Is Not Required

The most important concept for day-to-day clinic operations is the TPO exception. HIPAA permits covered entities to use and disclose PHI for treatment, payment, and healthcare operations without patient Authorization.

Treatment means providing, coordinating, or managing health care and related services by one or more health care providers. This includes:

• A physician sharing records with a specialist for a referral
• A nurse reviewing a patient’s medication history before administering treatment
• A pharmacist confirming a patient’s allergy history before filling a prescription
• Care coordination across a provider organization

Payment means activities undertaken by a covered entity to obtain or provide reimbursement for health care. This includes billing insurance, prior authorization requests, and collection activities.

Healthcare operations means administrative, financial, legal, and quality improvement activities necessary to run the covered entity. This includes quality assurance review, staff training using de-identified cases, audits, and certain marketing activities that meet specific criteria.

The TPO exception is why a clinic can share records with a consultant treating the same patient, send claims to an insurer, and train new staff on care protocols without obtaining a separate Authorization for each activity. It is the backbone of functional healthcare operations.

Common Scenarios Where Authorization Is and Is Not Required

Required:

• A patient asks you to send their records to their attorney for a personal injury case
• A marketing company wants to use patient contact information to send health product offers
• A pharmaceutical company requests patient contact information for a clinical trial enrollment campaign
• A patient asks that records be sent to a family member who is not involved in their care

Not required (TPO exception applies):

• Sending records to a specialist you are referring the patient to
• Sharing records with an emergency department treating the patient
• Billing the patient’s health insurance for services rendered
• Reviewing records for quality assurance purposes within the covered entity

Not required (other HIPAA exceptions apply):

• Disclosing information to public health authorities for disease reporting
• Disclosing to law enforcement under specific circumstances described in §164.512(f)
• Disclosing to the patient themselves under the right of access (§164.524)

How Long Authorizations Are Valid and How Patients Revoke Them

An Authorization must contain an expiration date or event. There is no maximum statutory duration — the period is set in the Authorization document itself. An Authorization for sending records to an attorney might expire after 90 days. An Authorization for ongoing research participation might expire when the research study concludes.

Patients may revoke an Authorization at any time. The revocation must be in writing. Upon receiving a written revocation, the clinic must stop any further use or disclosure under the Authorization — but actions already taken in reliance on the Authorization (disclosures already made) cannot be undone.

Retain executed Authorizations — including revocations — as part of the patient’s record. Under §164.530(j), Authorizations are compliance documentation subject to the six-year retention requirement.