In 2023, OCR settled with a New England dermatology practice for $300,640 after the organization disclosed protected health information to a patient's employer — without obtaining a valid authorization for release of health information form. The case was textbook: a staff member released records in response to a phone call, assumed the request was legitimate, and never collected the written authorization the Privacy Rule demands. It's a scenario I see replayed at healthcare organizations of all sizes, and it's entirely preventable.

What the Privacy Rule Actually Requires in an Authorization for Release of Health Information Form

Under 45 CFR § 164.508, a covered entity may not use or disclose protected health information (PHI) without a valid written authorization from the individual, except where the Privacy Rule specifically permits or requires it — such as for treatment, payment, or healthcare operations. The authorization for release of health information form is the mechanism that gives your organization legal permission to share PHI beyond those standard exceptions.

OCR has made clear that a valid authorization is not just a signature on a piece of paper. The regulation lists specific core elements and required statements that must appear on every form. Miss even one, and you're looking at an invalid authorization — which means any disclosure you made based on it was unauthorized.

The Six Core Elements Every Form Must Contain

Your authorization for release of health information form must include all of the following under 45 CFR § 164.508(c)(1):

  • A specific description of the PHI to be used or disclosed. Vague language like "all records" may not satisfy the minimum necessary standard. Be precise: dates of service, types of records, treating provider.
  • The name or class of persons authorized to make the disclosure. Identify your organization, specific department, or provider by name.
  • The name or class of persons to whom the disclosure will be made. The patient must know exactly who will receive their information.
  • A description of the purpose of the disclosure. "At the request of the individual" is acceptable if the patient initiates it, but for other scenarios, specificity matters.
  • An expiration date or event. Open-ended authorizations are invalid. Include a clear end date or a triggering event (e.g., "upon resolution of the claim").
  • The individual's signature and date. If a personal representative signs, documentation of their authority is required.

Beyond these core elements, the form must also include three required statements: the individual's right to revoke the authorization, the potential for re-disclosure by the recipient, and whether the covered entity conditions treatment or benefits on obtaining the authorization (which, in most cases, it cannot).

Psychotherapy Notes and Marketing: When Standard Authorization Isn't Enough

Healthcare organizations consistently struggle with the heightened authorization requirements for psychotherapy notes and marketing. Under 45 CFR § 164.508(a)(2), an authorization for psychotherapy notes cannot be combined with any other authorization. If your intake department uses a single bundled form that covers general records and psychotherapy notes together, that authorization is defective.

For uses involving marketing or the sale of PHI, separate authorizations with additional specific language are required. The Omnibus Rule in 2013 tightened these provisions significantly, and OCR continues to scrutinize organizations that blur the lines. If your business associates are involved in marketing communications, their obligations under the Business Associate Agreement must align with these requirements.

Common Mistakes That Invalidate Your Authorization Forms

In my work with covered entities, I've reviewed hundreds of authorization forms. The same errors appear repeatedly:

  • No expiration date. This is the single most common deficiency. A form that says "this authorization does not expire" is invalid under the Privacy Rule.
  • Compound authorizations where prohibited. Combining research authorizations with treatment consent or bundling psychotherapy notes with general medical records violates 45 CFR § 164.508(b)(3).
  • Missing revocation language. Every form must tell the individual they can revoke the authorization in writing at any time, and explain the exceptions to revocation.
  • Pre-checked boxes or blanket language. Forms that pre-select the type or scope of disclosure undermine the patient's right to make an informed decision.
  • Failure to provide a copy. Under 45 CFR § 164.508(c)(4), if the covered entity seeks the authorization, the individual must receive a signed copy. Many organizations skip this step entirely.

The Workforce Training Requirement Most Organizations Underestimate

An authorization form is only as reliable as the workforce member who collects and processes it. Front desk staff, health information management professionals, and clinical team members must all understand when an authorization is required, how to verify its validity, and what to do when one is defective.

Under 45 CFR § 164.530(b), your covered entity must train every workforce member on policies and procedures related to PHI — including authorization requirements. A single training session during onboarding is not sufficient. OCR expects ongoing, role-specific education. Organizations that invest in comprehensive HIPAA training and certification dramatically reduce their exposure to authorization-related HIPAA violations.

Build a Compliant Authorization Workflow — Not Just a Form

The real risk isn't the form itself — it's the absence of a reliable workflow around it. Your organization needs documented procedures that address:

  • Who is responsible for verifying completeness before PHI is released.
  • How authorizations are logged, tracked, and stored.
  • What happens when a patient revokes an authorization mid-process.
  • How your risk analysis accounts for improper disclosures linked to defective authorizations.
  • How your Notice of Privacy Practices informs patients about their authorization rights.

These operational controls matter as much as the language on the form. When OCR investigates a complaint about unauthorized disclosure, they don't just look at the document — they look at your policies, your training records, and your corrective action history.

Take Action Before OCR Does

Review every authorization for release of health information form your organization currently uses. Check it against the core elements and required statements in 45 CFR § 164.508. If your forms were last updated before the 2013 Omnibus Rule, they are almost certainly non-compliant.

Then look beyond the form. Audit your release-of-information workflow. Confirm your workforce has been trained — not just once, but on a recurring basis that reflects current OCR enforcement priorities. HIPAA Certify's workforce compliance platform provides the structured training and documentation your organization needs to demonstrate compliance when it matters most.

A valid authorization protects your patients' rights and your organization's future. Treat it like the regulatory requirement it is — not an administrative afterthought.