HIPAA Authorization: Definition and Requirements for Small Clinics

A HIPAA authorization is a patient’s written permission, in a form that meets the specific requirements of 45 CFR § 164.508, for your clinic to use or disclose their PHI in ways the Privacy Rule does not otherwise allow. Authorization exists at the boundary of what the TPO framework permits. When a use or disclosure falls outside treatment, payment, healthcare operations, and the specific permissible disclosures under the Privacy Rule, your clinic must have valid written authorization before proceeding.

Small-clinic example: A pharmaceutical company approaches a 4-provider family medicine practice and offers to pay $1,500 for the clinic to send a mailer to all patients with hypertension about a new blood pressure medication. Your practice administrator agrees and generates a mailing list from the EHR. No authorization was obtained. This is a marketing use of PHI with financial remuneration - authorization was required from each patient on the list before the mailing could be sent. The mailing is a Privacy Rule violation regardless of whether the medication is clinically appropriate.

When Authorization Is Required

The Privacy Rule permits PHI uses that fall within TPO and within specific permissible disclosure categories (public health, law enforcement, health oversight, etc.). Outside those categories, your clinic must have patient authorization.

Specific situations requiring authorization under 45 CFR § 164.508:

Marketing. Any use or disclosure of PHI for marketing purposes requires authorization (45 CFR § 164.508(a)(3)). Marketing includes communications that encourage patients to purchase or use a product or service. If your clinic receives financial remuneration for making a communication - even a health-related one - authorization is required. Exceptions exist for face-to-face communications, promotional gifts of nominal value, and certain communications about your clinic’s own health-related products and services.

Sale of PHI. Any disclosure of PHI in exchange for remuneration requires authorization unless the disclosure falls within a specific exception (45 CFR § 164.508(a)(4)). “Sale” includes any exchange of PHI for value - cash, services, or in-kind benefit. This applies to sharing patient lists, demographic data, clinical outcomes data, or any other PHI in exchange for payment.

Psychotherapy notes. Uses or disclosures of psychotherapy notes require a specific authorization in virtually every circumstance (45 CFR § 164.508(a)(2)). The only exceptions are limited: the originating clinician’s own treatment use, training of mental health students under supervision, legal defense purposes, oversight of the originating mental health professional, and a few others. Even treatment disclosures of psychotherapy notes to other providers generally require authorization.

Uses outside TPO. Any use or disclosure of PHI that does not fall within TPO or another specific Privacy Rule permission requires authorization. This includes: research using patient PHI without an IRB waiver of authorization; disclosures to employers for non-treatment purposes; sharing records with insurance companies for life, disability, or long-term care underwriting; sharing records with legal counsel retained by the patient; and releasing records to the media.

Required Elements of a Valid Authorization

Under 45 CFR § 164.508(c)(1), a valid authorization must contain six core elements.

1. A description of the PHI to be used or disclosed. Specific enough that both the patient and your clinic can identify what information is covered. “All medical records” is acceptable for comprehensive releases. “Records related to treatment for diabetes from January 1, 2024 to December 31, 2024” is also acceptable and may be more appropriate for specific purposes.

2. The name or other specific identification of the person(s) authorized to make the use or disclosure. Who is releasing the PHI - your clinic, a specific business associate, or a specific practitioner.

3. The name or other specific identification of the person(s) to whom the PHI may be disclosed. Who will receive the PHI - a specific attorney’s name and firm, a researcher’s institution, an employer’s HR department. “Insurance companies” or “any requesting party” are too vague to satisfy this element.

4. A description of each purpose of the use or disclosure. Why is the PHI being used or disclosed? “At the request of the individual” is acceptable if the patient initiates the release for their own purposes. Otherwise, a specific purpose statement is required.

5. An expiration date or expiration event. When does the authorization expire? A specific date, a period (“one year from the date signed”), or an event (“upon completion of the legal proceeding”) all satisfy this element. “None” or “unlimited” is not permissible.

6. Signature of the individual and date. The patient must sign and date. If the patient is incompetent, an authorized representative may sign with notation of the representative’s authority.

Two Required Statements

Every authorization must also include two statements (45 CFR § 164.508(c)(2)).

Statement 1 - Right to revoke. The authorization must inform the patient that they have the right to revoke it in writing, how to do so, and the exceptions to the right to revoke (where your clinic has already acted in reliance on the authorization).

Statement 2 - Consequences of refusal. Where applicable, the authorization must inform the patient whether treatment, payment, enrollment, or eligibility for benefits is conditioned on the authorization. If your clinic will not condition treatment on the authorization, the statement must say so.

Defective Authorizations

Under 45 CFR § 164.508(b)(2), your clinic may not use or disclose PHI pursuant to a defective authorization. An authorization is defective if:

• The expiration date has passed or the expiration event has occurred
• The authorization has been revoked
• A required element is missing or incorrectly stated
• The authorization violates the compound authorization restrictions
• Your clinic knows the authorization was obtained through fraud, duress, or material misrepresentation

Common defects:

• Missing expiration date or event
• Recipient listed too vaguely (“any insurer”)
• No signature or undated
• PHI description too vague (“my health information”)
• Purpose listed as “N/A” or left blank

A signed release form that is missing required elements is not a valid authorization. Your clinic cannot rely on it even if the patient seemed to consent to the release.

Compound Authorizations

45 CFR § 164.508(b)(3) restricts which authorizations can be combined on a single document.

Psychotherapy notes cannot be combined with any other authorization except another psychotherapy notes authorization. This is an absolute prohibition. A form that asks the patient to authorize release of both medical records and psychotherapy notes on the same document is defective as to the psychotherapy notes.

Research authorizations must be separated from conditioned authorizations. An authorization that conditions treatment on the patient’s research participation must stand alone, clearly noted as a condition.

Marketing authorizations that involve remuneration cannot be combined with treatment authorizations. If your clinic receives financial remuneration for making a marketing communication, the authorization for that marketing use must be separate from any other authorization.

The Right to Revoke

Under 45 CFR § 164.508(b)(5), a patient may revoke an authorization at any time in writing. The revocation is effective when your clinic receives it - not retroactively from when the authorization was signed.

Exceptions to the right to revoke: To the extent your clinic has already taken action in reliance on the authorization before receiving the revocation notice, the disclosure cannot be undone. Records already released cannot be recalled. A marketing mailing already sent cannot be unsent.

Practical procedure: Establish a process for receiving, logging, and acting on revocation notices. When you receive a revocation, immediately halt any pending disclosures and document the revocation. Inform the patient of the effective date and the scope of disclosures already made that cannot be reversed.

Authorization vs. Notice of Privacy Practices

Authorization is often confused with the Notice of Privacy Practices (NPP). They serve distinct purposes.

The NPP (see notice of privacy practices) informs patients of how your clinic may use PHI. It is a disclosure document, not a consent or permission form.

Authorization is the patient’s active, specific, written permission for a specific use or disclosure that the Privacy Rule does not otherwise permit.

Patients must receive the NPP at first service and sign an acknowledgment of receipt. That acknowledgment is not authorization for any specific use - it is confirmation only that the patient received the notice.

For a standardized authorization form template that includes all required elements, see HIPAA authorization form template.

PHIGuard helps small clinics manage authorization workflows, track revocations, and ensure required elements are captured for every authorization. See PHIGuard’s HIPAA compliance page for how the platform supports patient rights management.