A Missing Signature Cost One Hospital $865,000
In 2019, a patient at a mid-size medical center in the Southeast requested her records be sent to a new specialist. The front desk staff photocopied the chart, handed it to a courier, and checked the task off their list. The problem? No one had obtained a valid authorization for release of health information pursuant to HIPAA. Not a verbal okay. Not a half-completed form. Nothing with a signature, an expiration date, or a description of the information being disclosed.
That single oversight triggered an OCR investigation. And it wasn't an isolated event — the investigation uncovered a pattern of improper disclosures spanning three years. I've seen this exact scenario play out in clinics, hospitals, and behavioral health practices across the country. The authorization form is one of the most fundamental documents in healthcare privacy, and it's the one that gets botched the most.
This post walks you through every element your authorization for release of health information pursuant to HIPAA must contain, the mistakes that lead to enforcement actions, and how to build a workforce that gets this right every single time.
What Exactly Is a HIPAA Authorization?
A HIPAA authorization is a document that gives a covered entity written permission to use or disclose a patient's protected health information (PHI) for purposes that aren't otherwise permitted under the Privacy Rule. Treatment, payment, and healthcare operations generally don't require one. But sending records to a life insurance company, sharing psychotherapy notes, or disclosing PHI for marketing absolutely do.
The authorization isn't the same as a consent form. It's not a blanket release. It's a specific, time-limited, revocable permission slip — and the Privacy Rule at 45 CFR § 164.508 spells out exactly what must be in it.
The Six Required Elements — No Shortcuts
Every valid authorization must include these six core elements:
- Description of the PHI to be disclosed: "All records" doesn't cut it. You need specificity — date ranges, types of records, conditions being referenced.
- Who is authorized to make the disclosure: Name the covered entity or specific person.
- Who will receive the PHI: Identify the recipient by name or class.
- Purpose of the disclosure: "At the request of the individual" is acceptable if the patient initiates it. Otherwise, state the actual reason.
- Expiration date or event: "None" is only valid in narrow circumstances, like research. For most releases, you need a hard date or a triggering event.
- Signature and date: The individual (or their personal representative) must sign and date the form. No exceptions.
Miss even one of these and your authorization is defective. A defective authorization means the disclosure was unauthorized. An unauthorized disclosure is a potential breach. And a breach means you're reporting to HHS and possibly writing a very large check.
The Three Statements Everybody Forgets
Beyond the six core elements, 45 CFR § 164.508 also requires three statements that I routinely find missing from authorization forms during compliance audits:
- Right to revoke: The form must tell the patient they can revoke the authorization in writing at any time, plus any exceptions to that right.
- Conditioning statement: You need to disclose whether treatment, payment, enrollment, or eligibility is conditioned on the authorization. In most cases, the answer is no — and you must say so.
- Re-disclosure notice: The patient must be informed that once PHI is disclosed to the recipient, it may no longer be protected by federal privacy rules.
These aren't optional nice-to-haves. They're required by regulation. I've reviewed authorization templates from EHR vendors that ship without one or more of these statements. If your organization uses a template you didn't build in-house, audit it today.
When You Don't Need an Authorization (and When You Absolutely Do)
No Authorization Required
The Privacy Rule permits certain uses and disclosures of PHI without an authorization. The most common: treatment, payment, and healthcare operations. Public health activities, law enforcement requests that meet specific criteria, and disclosures required by law also fall into this category. The full list lives in HHS's Privacy Rule summary.
Authorization Always Required
Certain disclosures trigger a mandatory authorization requirement, no matter the circumstances:
- Psychotherapy notes: These get heightened protection. Even other treating providers can't access them without authorization.
- Marketing communications: If you're using PHI to market a product or service, the patient must authorize it — and you must disclose any financial remuneration involved.
- Sale of PHI: Any disclosure where the covered entity receives direct or indirect payment requires authorization, with very narrow exceptions.
Getting this wrong isn't theoretical. In 2018, OCR settled with MD Anderson Cancer Center for $4.3 million — and while the primary issue was ePHI encryption, the investigation also scrutinized their disclosure practices. When OCR comes knocking for one problem, they audit everything.
What Makes an Authorization "Defective" Under HIPAA?
This is the question I get asked most at conferences, and it's worth answering directly for anyone searching for clarity on authorization for release of health information pursuant to HIPAA.
An authorization is defective if any of the following are true:
- The expiration date has passed or the expiration event has occurred.
- The form hasn't been filled out completely — any required element is missing.
- The covered entity knows the authorization has been revoked.
- The form was combined with another document in a way that violates the compound authorization rules.
- Conditioning is present when it's not allowed (e.g., "We won't treat you unless you sign this").
- Any material information on the form is known to be false.
A covered entity that acts on a defective authorization has made an impermissible disclosure. Period. There's no good-faith exception for sloppy paperwork.
The $2.2 Million Problem: When Staff Don't Know the Rules
In my experience, authorization failures almost never stem from malice. They stem from undertrained staff. A front desk coordinator who thinks a verbal "yes" counts. A records clerk who uses a form that hasn't been updated since 2009. A nurse who faxes psychotherapy notes to a referring physician without checking whether an authorization is on file.
OCR has made it clear through enforcement that workforce training is not optional. The HHS enforcement actions page is a graveyard of organizations that failed to train their people on the basics.
Every member of your workforce who touches PHI — clinical or administrative — needs to understand when an authorization is required, what makes one valid, and what to do when they're unsure. If your training program doesn't cover authorization requirements in detail, it's incomplete. Our HIPAA training catalog includes role-specific modules that walk staff through real-world authorization scenarios, not just legal definitions.
Building an Authorization Process That Actually Works
Step 1: Audit Your Current Form
Pull your organization's authorization template right now. Check it against the six required elements and three required statements listed above. If anything is missing, fix it before the end of the week. Don't wait for a compliance review to surface it.
Step 2: Create a Verification Workflow
Before any disclosure based on an authorization, someone on your team should verify: Is the form complete? Is it signed and dated? Has it expired? Has it been revoked? Document this verification step. If OCR investigates, they'll want to see that you had a process — not just a form.
Step 3: Train and Retrain
Annual training is the minimum under HIPAA, but authorization handling should be reinforced quarterly, especially for staff in health information management, front desk, and medical records. Scenario-based training beats slide decks every time. Walk your team through the tricky calls: a spouse requesting records, an attorney with a subpoena but no authorization, a patient who gave verbal consent over the phone.
If you're looking for structured, scenario-based workforce education, explore the compliance training options at HIPAACertify. The modules are built for the exact situations your staff faces daily.
Step 4: Track and Retain
HIPAA requires you to retain authorization forms for six years from the date of creation or the date they were last in effect — whichever is later. Store them in a way that's searchable and auditable. If a patient revokes an authorization, document the revocation and flag the record immediately.
Special Situations That Trip Up Even Experienced Teams
Personal Representatives
When a parent signs an authorization for a minor child, or a guardian signs for an incapacitated adult, you need to verify their authority. Don't assume. Ask for documentation — court orders, power of attorney, or other legal proof. State law often layers additional requirements on top of HIPAA here.
Compound Authorizations
You generally can't bundle an authorization with a consent-to-treat form or a conditions-of-service agreement. HIPAA allows compound authorizations only in limited circumstances — for example, combining authorizations for different research studies. When in doubt, keep them separate.
State Law Preemption
HIPAA sets the floor, not the ceiling. Many states have stricter requirements for releasing substance abuse records, mental health information, HIV status, or genetic data. Your authorization form and process must comply with whichever law — state or federal — provides the greater privacy protection.
The Bottom Line for Your Organization
The authorization for release of health information pursuant to HIPAA isn't a formality. It's a legal instrument. When it's done right, it protects the patient, the provider, and the organization. When it's done wrong — or not done at all — it creates breach liability, regulatory exposure, and reputational damage that can take years to recover from.
I've watched organizations spend millions defending themselves over a single missing checkbox on an authorization form. Don't be that organization. Audit your forms. Train your people. Build a process that catches errors before they become disclosures. Start with the training resources at HIPAACertify and make sure every person on your team knows exactly what a valid authorization looks like — and what happens when they get it wrong.