In 2023, OCR settled with a health system that had been using an outdated authorization form for nearly four years — one that failed to include the patient's right to revoke. The resulting investigation uncovered systemic problems with how the organization disclosed protected health information to third parties. The penalty: $1.2 million. The root cause wasn't a cyberattack or a rogue employee. It was a flawed PHI authorization form that no one had bothered to update.

What a Valid PHI Authorization Must Contain Under the Privacy Rule

The HIPAA Privacy Rule at 45 CFR § 164.508 lays out specific core elements that every PHI authorization must include. Miss even one, and your authorization is invalid — meaning any disclosure you made based on it could constitute a HIPAA violation.

Here are the required elements:

  • A specific, meaningful description of the information to be used or disclosed
  • The name or class of persons authorized to make the disclosure
  • The name or class of persons to whom the disclosure may be made
  • A description of each purpose of the use or disclosure ("at the request of the individual" is sufficient if the individual initiates it)
  • An expiration date or event
  • The individual's signature and date

In addition, the authorization must include three required statements: the individual's right to revoke, the ability or inability to condition treatment or payment on the authorization, and the potential for re-disclosure by the recipient. These aren't optional footnotes — they are regulatory requirements.

Healthcare organizations consistently confuse consent for treatment, payment, and healthcare operations (TPO) with a PHI authorization. These are not the same thing. Consent for TPO is covered under 45 CFR § 164.506 and is optional under federal HIPAA rules (though some states require it). An authorization under § 164.508 is required for uses and disclosures that fall outside of TPO, such as marketing, sale of PHI, and most research purposes.

If your front-desk staff hands a patient a general consent form and believes it covers a disclosure to a life insurance company, your organization has a compliance gap. That disclosure requires a standalone, valid PHI authorization with all core elements and required statements.

When Your Covered Entity Must Obtain a PHI Authorization

Not every disclosure of protected health information requires an authorization. The Privacy Rule permits disclosures without authorization for treatment, payment, healthcare operations, public health activities, law enforcement under specific conditions, and several other categories outlined in § 164.512.

But the following situations always require a valid authorization:

  • Marketing communications — unless they fall under narrow exceptions for face-to-face communications or promotional gifts of nominal value
  • Sale of PHI — any disclosure where the covered entity receives direct or indirect remuneration
  • Psychotherapy notes — almost always require a separate authorization, even for TPO in most cases
  • Research — unless an Institutional Review Board or Privacy Board has granted a waiver

In my work with covered entities, the most common error I see is assuming that a business associate agreement alone authorizes a disclosure. It doesn't. A BAA governs how your business associate handles PHI on your behalf — it does not substitute for patient authorization when one is required.

The Minimum Necessary Standard and Authorization Forms

Here's a nuance that many compliance officers overlook: the minimum necessary standard under 45 CFR § 164.502(b) does not apply to disclosures made pursuant to a valid authorization. The rationale is that the individual has already specified the scope of the disclosure. However, this makes it even more critical that your PHI authorization form includes a specific and meaningful description of the information being disclosed — vague language like "all medical records" invites regulatory scrutiny.

OCR has made clear in guidance documents that the description of information must be specific enough for the covered entity to determine what PHI is being authorized for release. "Any and all records" without further context may render the authorization defective.

Common PHI Authorization Mistakes That Lead to OCR Enforcement

After reviewing hundreds of authorization forms across healthcare organizations, these are the errors I see most frequently:

  • Compound authorizations — bundling an authorization for marketing with an authorization for treatment-related disclosures. Section 164.508(b)(3) specifically prohibits conditioning treatment on signing an authorization for marketing or sale of PHI.
  • Missing revocation language — the form must clearly state how the individual can revoke and any limitations on revocation.
  • No expiration date or event — "indefinite" or blank expiration fields make the authorization invalid.
  • Failing to provide a copy — the individual is entitled to a copy of the signed authorization. This is a regulatory requirement, not a courtesy.
  • Using outdated forms — forms that haven't been updated since the 2013 Omnibus Rule may be missing required elements.

The Workforce Training Requirement Most Organizations Underestimate

Your workforce — from front-desk staff to department managers — must understand when a PHI authorization is required and what makes one valid. A receptionist who accepts an incomplete authorization form and releases records based on it has just created an impermissible disclosure. A billing specialist who sends PHI to a third-party marketer without authorization has triggered a potential breach.

This isn't hypothetical. OCR investigations routinely trace violations back to workforce members who weren't trained on authorization requirements. Under 45 CFR § 164.530(b), every covered entity must train all workforce members on its privacy policies and procedures, including those governing authorizations.

If your organization hasn't refreshed its training program since the Omnibus Rule took effect, now is the time. Our HIPAA training and certification program covers PHI authorization requirements in detail, including how to identify defective forms and when disclosures require patient authorization versus other legal bases.

Audit Your Authorization Process Before OCR Does

Conduct an internal review of every PHI authorization form your organization currently uses. Check each form against the core elements and required statements in § 164.508. Verify that your Notice of Privacy Practices accurately describes when you will seek authorization and how patients can revoke one.

Then go further: review your risk analysis to determine whether authorization-related workflows — intake, records release, research coordination, marketing — have been assessed for vulnerabilities. A valid form means nothing if your process for tracking, storing, and honoring revocations is broken.

Building a culture of compliance starts with giving your workforce the tools to get PHI authorization right every time. HIPAA Certify's workforce compliance platform helps covered entities and business associates operationalize these requirements — so your authorization process holds up under OCR scrutiny, not just on paper.