In 2023, OCR settled with a New England dermatology practice for $300,640 after the organization disclosed protected health information to a reporter's inquiries without obtaining a valid patient authorization. The case underscored a compliance gap that persists across healthcare: organizations routinely misunderstand when a HIPAA privacy authorization is required and what must appear on the form to make it legally valid under 45 CFR §164.508.

What Is a HIPAA Privacy Authorization — and When Is It Required?

A HIPAA privacy authorization is a detailed, patient-signed document that permits a covered entity to use or disclose protected health information (PHI) for purposes that fall outside treatment, payment, and healthcare operations. Unlike general consent, an authorization must be specific, informed, and revocable.

The Privacy Rule at 45 CFR §164.508 lists several situations where an authorization is mandatory before PHI can leave your organization. These include disclosures for marketing purposes, most sales of PHI, disclosures of psychotherapy notes, and any use or disclosure not otherwise permitted or required by the Privacy Rule.

In my work with covered entities, the most common mistake I see is assuming that a general consent-to-treat form doubles as a valid authorization. It does not. These are legally distinct instruments with different requirements, and conflating them puts your organization at risk of an OCR enforcement action.

The Six Core Elements Every HIPAA Privacy Authorization Must Contain

Section 164.508(c)(1) specifies six required elements. If any one of these is missing, the authorization is defective and cannot serve as a legal basis for disclosure.

  • Specific description of the PHI to be used or disclosed. Vague language like "all medical records" is insufficient. Identify the information by type, date range, or condition.
  • Name or specific identification of the person(s) authorized to make the disclosure. Typically the covered entity or a specific provider within it.
  • Name or specific identification of the recipient(s). The patient must know exactly who will receive their PHI.
  • Description of the purpose of the disclosure. If the authorization is initiated by the individual, stating "at the request of the individual" is sufficient.
  • Expiration date or event. Open-ended authorizations with no expiration are invalid, except in limited research contexts.
  • Signature and date. The individual — or their personal representative — must sign and date the form.

Beyond these six, the regulation also requires three statements informing the individual of their rights: the right to revoke, the potential for re-disclosure by the recipient, and whether the covered entity is conditioning treatment or payment on the authorization (which is generally prohibited).

Where Organizations Consistently Get HIPAA Privacy Authorization Wrong

Healthcare organizations consistently struggle with three authorization pitfalls that OCR examiners flag during compliance reviews.

Compound Authorizations

The Privacy Rule prohibits combining an authorization for the use of psychotherapy notes with an authorization for any other purpose. Similarly, a covered entity cannot bundle a research-related authorization with one conditioning treatment on participation. Each must stand alone under §164.508(b)(3).

Failing to Honor Revocations

Patients have the right to revoke an authorization in writing at any time. Your organization must have a clear process for receiving, documenting, and acting on revocations. OCR has made clear that simply having a revocation policy in a binder is not enough — your workforce must be trained to execute it in real time.

Using Authorizations When They Aren't Needed

Ironically, some organizations over-authorize. Requiring patients to sign an authorization before sharing PHI for treatment, payment, or healthcare operations creates unnecessary friction and can confuse patients about their actual rights. The Privacy Rule already permits these disclosures under §164.506. A well-structured workforce HIPAA compliance program ensures your staff understands these boundaries.

The Minimum Necessary Standard and Authorizations

Here is a nuance that surprises many compliance officers: the minimum necessary standard under §164.502(b) does not apply to disclosures made pursuant to a valid HIPAA privacy authorization. When an individual has specifically authorized a disclosure, the covered entity may disclose the PHI described in the authorization without applying minimum necessary analysis.

That said, this is not a blank check. The authorization itself should be tightly scoped. If the patient authorized release of cardiology records from 2023 and your staff sends the entire medical history, you have a problem — not under minimum necessary, but under the authorization's own terms.

How Authorization Requirements Interact with Business Associates

When a business associate needs to use or disclose PHI in ways that go beyond what's permitted in the business associate agreement, a valid patient authorization is typically required. Your business associate agreements should clearly delineate which activities are covered under the BAA and which would require separate authorization.

OCR's enforcement history shows that confusion between business associate permitted uses and authorization-required uses is a recurring source of HIPAA violations. Both parties — covered entity and business associate — share responsibility for getting this right.

Building Compliant Authorization Forms Into Your Workflow

A valid HIPAA privacy authorization should not be an afterthought printed from a template found online. Build the form into your EHR workflow or intake process with the following practices:

  • Use plain language that patients actually understand — regulatory jargon increases the chance of invalid consent.
  • Date-stamp every authorization electronically where possible.
  • Route revocations to the same system that tracks active authorizations.
  • Audit authorization forms quarterly to verify all six core elements and three required statements are present.
  • Train every member of your workforce — front desk, clinical, billing, and IT — on when authorizations are and are not required.

Comprehensive HIPAA training and certification equips your entire team to handle authorization scenarios with confidence, reducing the risk of unauthorized disclosures that trigger breach notification obligations.

The Cost of Getting Authorizations Wrong

Defective authorizations can cascade into serious consequences. A disclosure based on an invalid authorization is an impermissible disclosure. Depending on volume and intent, penalties under the HITECH Act's tiered structure can range from $137 per violation to over $2 million per violation category per year, as adjusted by HHS in 2024.

More practically, a pattern of authorization failures signals to OCR that your organization lacks an effective compliance program — which increases the likelihood of a corrective action plan and monitoring period.

Don't let a missing expiration date or a compound form be the reason your organization faces an enforcement action. Audit your authorization forms this quarter, train your workforce, and treat the HIPAA privacy authorization as what it is: a legal instrument that demands precision.