HIPAA authorization

HIPAA Authorization Required

We’ve written about authorizations before – the difference between a HIPAA authorization and the HIPAA right of access; talking with family and friends; and the personal representative vs the authorized person. Today we’re going back to the beginning to review some fundamentals about the HIPAA Privacy Rule. What is an authorization and why is it needed?

The fundamental rule is that protected health information (PHI) may not be used or disclosed to anyone except the person to whom it belongs. There are exceptions to this, namely, it may be used or disclosed for purposes of treatment, payment or health care operations.

HIPAA Authorization Defined

A HIPAA authorization is consent obtained from an individual that permits a covered entity or business associate to use or disclose that individual’s protected health information to someone else for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule. An authorization must be in writing, written in plain language, and must contain specific elements and statements to be valid.

The specific elements and statements in a valid authorization are:


  1. A description of the PHI
  2. The name of the person making the authorization
  3. The name of the person or organization who is authorized to receive the PHI
  4. A description of the purpose for the use or disclosure
  5. An expiration date for the authorization
  6. The signature of the person making the authorization


  1. The person has the right to revoke the authorization in writing at any time and a description of how they may revoke.
  2. The person’s treatment, payment, enrollment or eligibility for benefits is not conditioned on whether they signed the Authorization.
  3. Any information disclosed per the Authorization may be re-disclosed by a recipient and is no longer protected by federal or state health privacy laws.

If any one of the elements or statements is missing, it is NOT valid, and should be returned to the person who provided it, for correction.

Review Right of Access vs Authorization

You can read more about this topic here, but the biggest difference is that, for the most part, “right of access” refers to a patient’s right to see or obtain their own medical records, whereas “authorization” refers to a patient’s consent that their information be disclosed to a third party. Note however, a person might use their right of access to request that their records be sent to a third party, e.g., a healthcare records app to organize and manage their health information.

Testimonials and the HIPAA Authorization

If patients provide testimonials or reviews on their healthcare provider’s website or Facebook page, this is not an automatic HIPAA authorization for their name or any other information to be used. As the owner of that site, the healthcare provider is responsible. A name alone, connected to the healthcare provider is PHI under HIPAA, and should not be disclosed on the website or Facebook page without a valid HIPAA authorization.

The solution is to obtain an authorization for testimonials, use of photos or social media, in advance. More on social media and HIPAA here.

Independent review sites, like Yelp work differently. Since the healthcare provider does not own the site, as long as you do NOT respond, you are not responsible.

Real Life Scenarios and the HIPAA Authorization

Question: Is there any information we can release to a person who is calling on behalf of a patient who is not authorized in a release form?

Answer: Be careful not to assume, even it it’s a family member, that the patient authorizes this. Under the Privacy Rule the patient must be given an “opportunity to agree or object” to the disclosure of PHI to someone else, even family members, but it does NOT have to be in writing. You may obtain your patient’s agreement verbally over the phone, but best practices, for your own protection, require that you make a note in your files to document this. And you should only disclose the minimum necessary.

Disclosure to another Covered Entity related to that patient’s care or payment for care (the health care provider, or an insurance company for that patient) is permitted without authorization – these are among the original exceptions.

Question: We use examples from our internal patient care histories to teach our staff best practices. Does using a real life example violate HIPAA if we are using it to improve patient care?

Answer: Internal discussions about patient cases do not require a patient authorization because this is an exception – a use or disclosure for health care operations. Follow the minimum necessary rule, and do not disclose any information not necessary for the teaching. This exception does not extend to social conversation or gossip, which is not considered “for healthcare operations”, and is never permitted.

Question: When my patients are being treated for car accident injuries, we often receive requests for PHI from lawyers. I am not sure if we should provide the information and don’t know how to decide whether the request is legitimate.

Answer: You may disclose the PHI as long as the request is a valid authorization. The HIPAA Privacy Rule sets forth six specific elements (including the patient’s signature) and three required statements that must be included. If any one of the elements or statements is missing, the authorization is NOT valid.

Question: One of my long term (dental) patients was recently diagnosed with cancer. His new oncologist’s assistant called to request his PHI from our files. I don’t know if the patient knows or has authorized this.

Answer: A patient authorization is not required for disclosure of PHI between Covered Entities if the disclosure is needed for purposes of treatment or payment or for healthcare operations. You may disclose the PHI as long as you receive a request in writing. The written request must contain: the covered entity’s name, the patient’s name, the date of the event/time of treatment, and the reason for the request.

Question: I strongly suspect that a patient is a victim of domestic violence, although the patient has not confided in me. The abuse seems to be escalating, judging by the injuries I’ve seen. May I do anything?

Answer: Concern for safety triggers an exception to the HIPAA Privacy Rule. You may disclose the PHI to a government agency authorized by law to receive such a report if you reasonably believe the patient to be a victim of adult abuse, neglect or violence. You may obtain the patient’s agreement but are not required to in certain circumstances. You must inform the patient of the disclosure unless you believe that informing the patient would increase the risk of further abuse or violence.

Question: My patient is recently deceased, and her daughter called and asked for her medical records. Should I give them to her?

Answer: The right to privacy under HIPAA extends past death, for 50 years. Only the decedent’s Personal Representative, or a person who was authorized to receive information by the decedent before death may obtain PHI of the decedent. Ask for documentation of the Authorization or personal representative status before releasing information.

The HIPAA E-Tool® Explains All the Rules

Every policy, every form and current HIPAA guidance is included in The HIPAA E-Tool®.

A template for a valid HIPAA authorization is included, along with a “HIPAA Authorization Checklist” to help evaluate what you receive from third parties.

HIPAA compliance is manageable and affordable with clarity around the Privacy Rule, the Security Rule, the Breach Notification Rule, and Risk Analysis-Risk Management, with step by step guidance all the way through.



Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU