A psychiatrist's office in Connecticut faxed 65 pages of therapy notes to a patient's employer. The patient had signed a form — but it wasn't a valid HIPAA authorization. It was a generic release buried in an intake packet, missing three of the six required elements. The office treated it like a blank check. OCR treated it like a violation.

That scenario plays out more often than you'd think. A HIPAA authorization is one of the most misunderstood documents in healthcare privacy, and getting it wrong exposes your organization to federal enforcement, state lawsuits, and the kind of reputational damage that doesn't wash off.

This post breaks down exactly what makes a HIPAA authorization valid, when you actually need one, when you don't, and the real penalties organizations have paid for fumbling this process.

What Is a HIPAA Authorization, Exactly?

A HIPAA authorization is a detailed, patient-signed document that gives a covered entity permission to use or disclose protected health information (PHI) for purposes that fall outside the standard uses allowed under the HIPAA Privacy Rule.

That last part is critical. HIPAA already permits covered entities to use and share PHI for treatment, payment, and healthcare operations — no authorization needed. The authorization requirement kicks in when you want to do something beyond those core functions.

Think: releasing psychotherapy notes to a life insurance company. Sending records to a patient's attorney. Using a patient's photo in marketing materials. These require a valid, written HIPAA authorization before a single byte of PHI moves.

The Six Required Elements You Can't Skip

Under 45 CFR § 164.508, a valid HIPAA authorization must contain six core elements. Miss one, and the entire document is defective — meaning any disclosure you made based on it was unauthorized.

1. A Specific Description of the PHI

"All medical records" doesn't cut it. The authorization must describe the information to be used or disclosed in a specific and meaningful way. Examples: "psychiatric evaluation dated March 14, 2026" or "lab results from Quest Diagnostics, January through March 2026."

2. Who Is Authorized to Make the Disclosure

Name the person or entity disclosing the PHI. Not "my doctor." The actual provider or covered entity.

3. Who Will Receive the PHI

Identify the recipient by name or class. "My attorney, Sarah Kim at Kim & Associates" works. "Whoever needs it" does not.

4. The Purpose of the Disclosure

Why is this PHI being shared? "At the request of the individual" is acceptable as a purpose. But vague, catch-all language raises red flags.

5. An Expiration Date or Event

Every authorization must expire. That can be a calendar date or an event, such as "upon resolution of the claim." Open-ended authorizations with no expiration are invalid.

6. The Individual's Signature and Date

Seems obvious, but I've reviewed stacks of authorizations missing either the signature or the date. Both are required. If a personal representative signs, you also need documentation of their authority.

On top of these six elements, the authorization must include three required statements informing the patient of their right to revoke, the potential for re-disclosure, and whether the covered entity conditioned treatment or payment on signing.

When You Need a HIPAA Authorization — And When You Don't

This is where most organizations get tangled. Here's the straightforward breakdown.

You Need an Authorization For:

  • Most uses of psychotherapy notes (with very narrow exceptions)
  • Marketing communications, unless they fall into specific face-to-face or promotional gift exceptions
  • Any sale of PHI
  • Disclosures to employers for employment decisions
  • Sharing PHI with life insurers, media, or researchers (outside an IRB waiver)

You Don't Need an Authorization For:

  • Treatment, payment, and healthcare operations (TPO)
  • Disclosures required by law (court orders, mandatory reporting)
  • Public health activities
  • Disclosures to the individual themselves
  • Uses for health oversight, judicial proceedings, or law enforcement under specific conditions

If you work in behavioral health, the authorization rules around psychotherapy notes are particularly strict. These notes sit in their own protected category under HIPAA — separate from the rest of the medical record. I walk through these distinctions in detail in our HIPAA Training for Mental & Behavioral Health course.

The $5.5 Million Lesson From Memorial Healthcare System

In 2017, HHS settled with Memorial Healthcare System for $5.5 million after employees accessed PHI of over 115,000 individuals without authorization. The root problem wasn't a rogue hacker — it was inadequate access controls and a failure to regularly review who could see what in the system.

That settlement, detailed on the HHS enforcement page, underscores a fundamental truth: authorization isn't just about paper forms. It's about who in your workforce can access ePHI and whether you've built the systems to control it.

Defective Authorizations: What Makes One Invalid?

A covered entity may not rely on an authorization if:

  • The expiration date has passed
  • The form hasn't been filled out completely
  • The authorization has been revoked by the patient
  • The form contains material information the covered entity knows to be false
  • Treatment or payment was conditioned on the authorization (with limited exceptions for research)

I've seen organizations use a single, multi-purpose consent form at intake and assume it covers everything. It doesn't. Consent for treatment is not the same as a HIPAA authorization. They are legally distinct documents with different requirements under the Privacy Rule.

Compound Authorizations and Conditioned Authorizations

HIPAA allows you to combine an authorization for the use of psychotherapy notes with other authorizations — but only if the psychotherapy notes authorization is clearly distinguishable. You cannot bundle a psychotherapy notes authorization into a consent-for-treatment form and call it good.

Conditioned authorizations — where you refuse treatment unless the patient signs — are prohibited in most situations. The exception is research-related treatment, where conditioning is allowed under specific circumstances outlined in the Privacy Rule.

How to Build a Bulletproof Authorization Process

Standardize Your Forms

Create authorization templates that include every required element. Build in check boxes for purpose, recipient, and expiration. Have legal counsel review them annually.

Train Every Staff Member Who Handles PHI

Front desk staff, medical records clerks, billing coordinators — anyone who touches PHI needs to understand when a HIPAA authorization is required and how to verify one is valid before releasing records. Our HIPAA Introduction Training 2026 course covers this end-to-end for new and existing workforce members.

Track and Audit

Maintain a log of every authorization received, including the date, scope, and expiration. When a patient revokes an authorization, document it immediately and flag the record. Set up calendar reminders for approaching expiration dates.

Say it one more time for the people in the back: consent for treatment is not a HIPAA authorization. An authorization is purpose-specific, time-limited, and revocable. A general consent to treat is none of those things.

What Happens When a Breach Follows a Bad Authorization?

If your organization discloses PHI based on an invalid HIPAA authorization, you've made an impermissible disclosure. That triggers the breach notification requirements under the HIPAA Breach Notification Rule.

You'll need to notify the affected individual, potentially HHS, and if the breach affects 500 or more people, the media. Then comes the OCR investigation, the corrective action plan, and possibly a six- or seven-figure settlement.

Having a clear incident response process matters. If your team doesn't know what to do in the first hour after discovering an unauthorized disclosure, that delay compounds the damage. Our First 60 Minutes: Incident Response course was built for exactly this scenario.

The Most Common HIPAA Authorization Mistakes I See

After years of consulting, these are the patterns that keep repeating:

  • Using outdated forms that predate regulatory updates
  • Accepting verbal authorizations for uses that require written ones
  • Failing to verify identity before honoring an authorization received by fax or email
  • Not tracking revocations, leading to continued disclosures after a patient revoked consent
  • Blanket authorizations with no expiration date and no specificity about the PHI involved

Every one of these is fixable. But only if your workforce knows the rules — and your organization treats HIPAA authorization as a core compliance function, not an afterthought buried in an intake packet.

Your Next Step

Pull your current authorization forms. Compare them against the six required elements and three required statements in 45 CFR § 164.508. If anything is missing, stop using that form today. Then make sure every person in your organization who handles PHI can explain the difference between consent and authorization without checking a manual.

That's the standard. It's not optional. And the organizations that treat it seriously are the ones that stay off OCR's wall of shame.