In 2023, OCR settled with a New England dermatology practice for $300,640 after an investigation revealed the organization had disclosed protected health information to a patient's employer without a valid authorization. The case underscored what many healthcare organizations still get wrong: HIPAA release of information requirements aren't optional guardrails — they're enforceable mandates with specific elements your workforce must verify every time PHI leaves your organization.

What the Privacy Rule Actually Requires for Releasing PHI

The HIPAA Privacy Rule, codified at 45 CFR § 164.508, establishes that a covered entity may not use or disclose protected health information without a valid written authorization from the individual — unless the disclosure falls under a specific exception. Those exceptions are narrower than most organizations assume.

Permissible disclosures without authorization include treatment, payment, and healthcare operations (TPO), disclosures required by law, and certain public health activities outlined in §164.512. Everything else — marketing, most research, psychotherapy notes, and third-party requests — requires a signed, compliant authorization form.

In my work with covered entities, the most frequent compliance gap isn't the absence of an authorization form. It's that the form itself fails to contain every element the Privacy Rule mandates.

The Six Required Elements of a Valid HIPAA Authorization

Under 45 CFR § 164.508(c), a valid authorization must contain all of the following core elements. Missing even one renders the authorization defective, and any disclosure based on it becomes a HIPAA violation.

  • A specific description of the PHI to be used or disclosed. Vague language like "all medical records" has been flagged by OCR as insufficient. Identify the information by type, date range, or encounter.
  • The name or class of persons authorized to make the disclosure. This is typically your covered entity or a specific department.
  • The name or class of persons to whom the disclosure will be made. The recipient must be identifiable — an insurance company, attorney, family member, or employer.
  • A description of the purpose of the disclosure. "At the request of the individual" is acceptable when the patient initiates the release, but the purpose field cannot be left blank.
  • An expiration date or event. Open-ended authorizations with no expiration are not valid. The form must state when the authorization ends.
  • The individual's signature and date. If signed by a personal representative, documentation of their authority must accompany the form.

Additionally, the authorization must include three required statements informing the individual of their right to revoke, the potential for re-disclosure by the recipient, and the fact that the covered entity cannot condition treatment on the authorization (with limited exceptions for research).

HIPAA Release of Information Requirements Your HIM Team Must Enforce

Health information management professionals sit at the front line of HIPAA release of information requirements. Every request that crosses their desk demands a verification workflow — not just a signature check.

Your HIM team should confirm the identity of the requester under §164.514(h). They should apply the minimum necessary standard, releasing only the PHI specifically described in the authorization — not the entire medical record unless that's precisely what was authorized. And they must log every disclosure in an accounting of disclosures as required by §164.528.

Healthcare organizations consistently struggle with turnaround time pressures. Staff rush to fulfill requests and skip verification steps. That's how defective authorizations slip through and how OCR investigations begin.

Common Defective Authorization Scenarios

OCR enforcement actions and guidance documents reveal patterns your organization should train against:

  • Authorizations signed by someone other than the patient with no proof of legal authority.
  • Forms that pre-date the treatment encounter referenced in the request.
  • Compound authorizations that bundle research consent with marketing — prohibited under §164.508(b)(3).
  • Authorizations received via fax with illegible signatures or missing pages.
  • Expired authorizations that staff process without checking the expiration date.

Each of these scenarios represents a preventable HIPAA violation. The fix is consistent HIPAA training and certification that gives your workforce the knowledge to spot defective forms before disclosure occurs.

The Right of Access vs. Authorization: A Critical Distinction

One area where HIPAA release of information requirements create confusion is the overlap between a patient's right of access under §164.524 and the authorization requirement under §164.508.

When a patient requests their own records, they are exercising their right of access. This does not require a formal authorization — it requires your covered entity to respond within 30 days (with one 30-day extension if needed) and to provide the records in the format the patient requests, if readily producible.

When a patient asks you to send their records to a third party, that does require a valid written authorization — or, under the 2013 Omnibus Rule, a written directive from the patient specifying the designated recipient. OCR's Right of Access enforcement initiative, which produced over 45 enforcement actions between 2019 and 2024, shows the agency is actively monitoring how covered entities handle both pathways.

Business Associate Obligations in the Release Process

If your organization uses a business associate to process release of information requests — as many hospitals and health systems do — those vendors must comply with HIPAA release of information requirements through a compliant business associate agreement (BAA) under §164.502(e).

Your BAA should explicitly address authorization verification procedures, minimum necessary protocols, breach notification timelines, and return or destruction of PHI upon contract termination. The covered entity remains ultimately responsible for ensuring its business associates handle disclosures lawfully.

Build a Workforce That Gets Authorization Right Every Time

Defective authorizations don't just create regulatory risk — they erode patient trust. Every improper disclosure is a patient whose information ended up somewhere it shouldn't have.

The most effective mitigation strategy is ongoing, role-specific workforce training that goes beyond annual checkbox exercises. Your front-desk staff, HIM specialists, nurses, and billing teams each encounter release scenarios differently. Training must reflect that reality.

Invest in a comprehensive workforce HIPAA compliance program that covers authorization requirements, right of access obligations, minimum necessary analysis, and breach response protocols. When your workforce can identify a defective authorization in seconds, your organization stays ahead of OCR — not in its crosshairs.

The regulatory landscape isn't getting simpler. OCR's enforcement budget, penalty authority, and investigative reach continue to expand. Meeting HIPAA release of information requirements isn't a one-time project — it's a daily operational discipline that protects your patients and your organization.