A surgeon's office in Texas faxed a patient's entire psychiatric history to a life insurance company. The patient hadn't signed anything. No authorization form. No verbal consent. Just a well-meaning office manager who thought the insurance company's letterhead was enough to release the records. That one fax triggered an OCR investigation, a corrective action plan, and a very uncomfortable conversation with legal counsel.

If you work at a covered entity or business associate, understanding what is a HIPAA authorization isn't optional — it's the difference between a routine disclosure and a reportable breach. This guide breaks down the authorization requirement in plain English, covers the six elements every valid form needs, and walks through the mistakes I see organizations make over and over again.

What Is a HIPAA Authorization, Exactly?

A HIPAA authorization is a written document that gives a covered entity permission to use or disclose a specific individual's protected health information (PHI) for a purpose that isn't already permitted under the HIPAA Privacy Rule. It must be signed by the patient — or their personal representative — before the PHI leaves your hands.

Think of it this way: HIPAA already allows certain uses and disclosures without patient permission. Treatment, payment, and healthcare operations are the big three. Public health reporting, law enforcement requests with valid process, and a handful of other exceptions also don't require authorization.

But anything outside those carved-out categories? You need a signed, valid authorization. Marketing communications. Sale of PHI. Sharing psychotherapy notes. Disclosures to an employer for employment decisions. These all require the patient's explicit, written say-so.

I've seen compliance officers use "consent" and "authorization" interchangeably in training materials. That's a problem. Under HIPAA, these are two different things.

Consent is an optional, general document a provider may ask a patient to sign acknowledging that PHI will be used for treatment, payment, and healthcare operations. The Privacy Rule at 45 CFR Part 164, Subpart E permits but does not require this consent.

Authorization is a mandatory, specific document required before a covered entity can use or disclose PHI for purposes that fall outside the standard permitted uses. It has strict content requirements. It gives the patient a right to revoke. It's a different animal entirely.

Mixing them up doesn't just create confusion — it creates liability. If your staff thinks a general intake consent form covers a marketing email campaign, you've got a breach on your hands.

The Six Required Elements Every Authorization Must Contain

HHS doesn't leave this to guesswork. Under 45 CFR § 164.508, a valid HIPAA authorization must include these six core elements:

  • A specific description of the PHI to be used or disclosed. "All medical records" is too vague. Name the record types, dates, or conditions.
  • The name or specific identification of the person(s) authorized to make the disclosure. Usually your organization.
  • The name or specific identification of the person(s) to whom the disclosure will be made. The recipient — an insurer, attorney, family member, researcher.
  • A description of each purpose of the requested use or disclosure. "At the request of the individual" is acceptable when the patient initiates it.
  • An expiration date or expiration event. Open-ended authorizations are not valid. "End of the research study" or a specific calendar date both work.
  • The individual's signature and date. Or the signature of their authorized personal representative, with a description of that representative's authority.

Miss any one of these, and the authorization is defective. A defective authorization means the disclosure was unauthorized. An unauthorized disclosure is a potential breach.

Three Required Statements You Can't Skip

Beyond the six elements, every authorization also needs three specific statements:

  • The individual's right to revoke the authorization in writing, and the exceptions or process for doing so.
  • The ability or inability to condition treatment, payment, enrollment, or eligibility on the authorization.
  • The potential for re-disclosure by the recipient, which could mean the information is no longer protected by HIPAA.

I review authorization forms for healthcare organizations regularly. At least a third of the forms I see are missing the re-disclosure warning. That alone can invalidate the document.

When You Don't Need an Authorization

Knowing when authorization isn't required is just as important as knowing when it is. The Privacy Rule permits use and disclosure of PHI without authorization for:

  • Treatment, payment, and healthcare operations (the TPO triad)
  • Public health activities — reporting communicable diseases, FDA adverse events
  • Victims of abuse, neglect, or domestic violence
  • Health oversight activities like audits and investigations
  • Judicial and administrative proceedings with appropriate process
  • Certain law enforcement purposes
  • Decedent information to coroners, medical examiners, funeral directors
  • Organ and tissue donation
  • Workers' compensation as authorized by state law

The full list lives in 45 CFR § 164.512. If you're ever unsure, check the regulation before you release anything. When in doubt, get the authorization signed.

The $5.5 Million Mistake: What OCR Enforcement Tells Us

In 2017, Memorial Healthcare System paid $5.5 million to settle with OCR after employees accessed PHI of 115,143 individuals without authorization. The employees used login credentials belonging to a former employee of an affiliated physician practice. The PHI was accessed without any treatment purpose — and certainly without patient authorization.

That case wasn't about missing paperwork. It was about an organization that failed to implement access controls and allowed unauthorized access to ePHI at scale. But the root issue was the same one I see in smaller practices every week: nobody stopped to ask, "Do we actually have permission to access this?"

Authorization isn't just a form. It's a mindset. Your workforce needs to internalize the question before they touch a record, forward a fax, or respond to a phone call from someone claiming to be a patient's spouse.

Where Authorization Forms Go Wrong in Practice

Blanket Authorizations

An authorization that says "I authorize release of all my records to anyone for any purpose" is not valid. It fails the specificity requirements for recipient, purpose, and PHI description. I've seen medical practices use these for years without anyone raising a flag — until an audit happens.

Missing Expiration Dates

No end date, no valid authorization. Yet I regularly find forms in active use that have no expiration date or event. "Until revoked" is not an acceptable substitute. The authorization must have a definite endpoint.

Pre-Signed Stacks

Some offices have patients sign authorization forms at intake, with blank fields to be filled in later. That practice is indefensible. The patient must know what they're authorizing at the time they sign. A blank form signed in advance is not informed authorization.

Verbal "Authorizations"

HIPAA requires authorization to be in writing. A phone call from a patient saying "go ahead and send my records" is not an authorization under the Privacy Rule. You can accept verbal requests for access under certain conditions, but authorization for non-TPO disclosures must be documented.

Training Your Workforce to Handle Authorizations Correctly

Forms are only as good as the people using them. If your front desk staff, medical records department, and clinical team don't understand what is a HIPAA authorization and when one is required, your forms are just decoration.

Every member of your workforce — not just privacy officers — needs to understand the basics: when authorization is required, what makes a form valid, and what to do when someone requests PHI without one. Our HIPAA Introduction Training 2026 covers authorization requirements as part of a comprehensive Privacy Rule module that your entire staff can complete.

For teams that handle sensitive disclosures — behavioral health records, substance use treatment information, HIV status — the stakes are even higher. State laws often layer additional authorization requirements on top of HIPAA. If your authorization form satisfies HIPAA but violates state law, you're still exposed.

What to Do When a Breach Involves Unauthorized Disclosure

If PHI leaves your organization without a valid authorization and no Privacy Rule exception applies, you likely have a breach. The clock starts immediately. You need to conduct a risk assessment, determine whether breach notification is required, and document everything.

Your incident response plan should already address this scenario. If it doesn't, our First 60 Minutes: Incident Response training walks your team through exactly what to do in the critical first hour after discovering an unauthorized disclosure.

Under the Breach Notification Rule, you must notify affected individuals within 60 days of discovery. If 500 or more people are affected, you also notify HHS and prominent media outlets. The OCR Breach Portal — sometimes called the "Wall of Shame" — makes large breaches public permanently.

Social Media: The Authorization Blind Spot

Here's one that catches organizations off guard. Your marketing team wants to post a patient testimonial on Instagram. The patient verbally agrees. Someone takes a photo and posts it with the patient's name and a reference to their treatment.

That's an unauthorized disclosure of PHI for marketing purposes. HIPAA requires a signed authorization for any use of PHI in marketing, and using a patient's image alongside health information qualifies. It doesn't matter that the patient said "sure, go ahead." Verbal isn't written, and marketing requires authorization.

This scenario is more common than you'd think, especially in dental practices, med spas, and physical therapy clinics that rely on social proof. If your marketing team operates on social media, they need specific training on PHI boundaries. Our Social Media & PHI course addresses exactly these situations.

Your Authorization Checklist for 2026

Before your next disclosure that falls outside treatment, payment, or operations, run through this list:

  • Is there a signed, written authorization on file?
  • Does it contain all six required elements and three required statements?
  • Is the authorization still within its expiration date or event?
  • Has the patient revoked the authorization? Check your records.
  • Does the disclosure match the specific PHI, recipient, and purpose listed on the form?
  • Does state law impose additional requirements beyond HIPAA?

If any answer is "no" or "I'm not sure," stop. Don't release the records. Get it right first.

Authorization isn't complicated. But it demands precision, training, and a culture where every member of your workforce pauses before they disclose. The organizations that get this right aren't the ones with the fanciest forms — they're the ones whose people actually understand what those forms mean.