HIPAA E-Tool
Request a Demo

Understanding HIPAA Authorizations: A Quick Guide

Published On: September 23, 2025Categories: Authorization, HIPAA News, Privacy Rule

Update: October 1, 2025. Alert for healthcare providers who use patient testimonials or reviews in their marketing. OCR announced on September 30 that it settled a HIPAA investigation over Cadia Healthcare Facilities’ failure to obtain valid HIPAA authorizations from 150 patients who posted testimonials on Cadia’s website. OCR determined that Cadia impermissibly disclosed PHI, failed to have safeguards in place to protect the privacy of PHI, and failed to provide breach notification to the affected individuals. Cadia agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $182,000 to OCR.

The HIPAA Privacy Rule governs how a patient’s protected health information (PHI) may be used and disclosed. In most situations, patients are in control. A HIPAA-regulated entity may not use or disclose a patient’s PHI unless the patient agrees in advance by signing a valid HIPAA authorization.

Covered entities and business associates must understand the rules and exceptions regarding the use and disclosure of PHI to ensure compliance and avoid potential penalties.

Exceptions to the Need for a HIPAA Authorization

HIPAA permits the use or disclosure of PHI for treatment, payment, or healthcare operations (TPO), and in some limited circumstances, when required by law. Any other use or disclosure requires a valid HIPAA authorization.

The Elements of a Valid HIPAA Authorization

A HIPAA authorization is a formal, written document that permits a covered entity or business associate to use or disclose an individual’s PHI for purposes not otherwise permitted by the Privacy Rule. To be valid, this document must be written in plain language and contain specific elements and statements. A missing element or statement renders the entire authorization invalid.

Required Elements:

  • A clear and specific description of the PHI to be used or disclosed.
  • The name or a specific identification of the person or class of persons authorized to make the use or disclosure.
  • The name or a specific identification of the person or class of persons to whom the covered entity is authorized to make the disclosure.
  • A description of the purpose for the use or disclosure.
  • An expiration date or event for the authorization.
  • The signature of the individual and date.

Required Statements:

  • A statement that the individual has the right to revoke the authorization in writing at any time and a description of how they may revoke it.
  • A statement that the individual’s treatment, payment, enrollment, or eligibility for benefits is not conditioned on whether they sign the authorization (with limited exceptions).
  • A statement that any information disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and is no longer protected by federal privacy regulations.

Differentiating Authorization from the Right of Access

It is critical for staff to understand the distinction between a HIPAA authorization and a patient’s Right of Access. Patients have a right to obtain their own medical records, and the process should be prompt, easy, and at low or no cost.

  • A HIPAA Authorization is a consent mechanism for disclosing PHI to a third party for a specific purpose.
  • A patient’s Right of Access is a fundamental right to obtain a copy of their own PHI and to direct that a copy be sent to a third party of their choosing. When a patient exercises their Right of Access to have records sent to a third party, a separate authorization is not required, as this action is considered an extension of the patient’s own access.

Healthcare Marketing and Social Media Might Require a HIPAA Authorization

If you want to post patient testimonials, recommendations or reviews, be sure to obtain a valid HIPAA authorization in advance. A “model release” or a “photo consent” is not sufficient if it doesn’t contain the required elements and statements.

Common HIPAA Authorization Scenarios

Navigating HIPAA rules can be tricky. Here are answers to common compliance questions related to HIPAA authorizations.

Scenario 1: Disclosing PHI to a patient’s family member or friend. While a written authorization is ideal, the Privacy Rule allows for disclosures to family members, friends, or others involved in a patient’s care. Such disclosures are permitted if the patient is present and has the opportunity to agree or object, or if it can be inferred that the patient does not object. In emergency situations where the patient is not present or incapacitated, the disclosure can be made if, based on professional judgment, it is in the patient’s best interest. It is a best practice to verbally obtain the patient’s agreement and document it in the patient’s record.

Scenario 2: Responding to a subpoena or legal request for PHI. Requests for PHI from lawyers are common, but they require careful review. A covered entity may disclose PHI if the request is accompanied by a valid HIPAA authorization, a court order, a subpoena, or an administrative request that meets specific legal requirements. Without one of these, no PHI should be released. A valid authorization for a legal request must contain all the required elements and statements outlined by the Privacy Rule.

Scenario 3: A provider from another covered entity requests a patient’s records for treatment. HIPAA does not require an authorization for disclosures between covered entities for purposes of treatment, payment, or healthcare operations. For example, a dental office can disclose a patient’s PHI to an oncologist if the information is needed for the patient’s cancer treatment. To maintain a strong audit trail, it is best practice to receive these requests in writing, documenting the requesting provider’s name, the patient’s name, and the reason for the request.

Scenario 4: Using patient case histories for internal staff training. Internal discussions about patient cases for the purpose of staff training and improving patient care are considered healthcare operations and do not require patient authorization. However, organizations should adhere to the minimum necessary rule, only disclosing the information essential for the teaching purpose. This exception does not apply to social conversation or gossip, which is never permitted.

Scenario 5: Disclosing PHI of a deceased patient. HIPAA privacy rights extend for 50 years after a patient’s death. Only the deceased patient’s Personal Representative, or a person who was an authorized representative of the decedent prior to death, may access their PHI. Covered entities must verify documentation of this status before releasing any information.

HIPAA Authorizations Safeguard Patient Privacy

Effective HIPAA compliance relies on a robust understanding of privacy principles, especially when it comes to authorizations. By training staff on the proper procedures for verifying, obtaining, and responding to authorizations—and knowing when they are not required—covered entities and business associates can protect patient privacy while ensuring necessary information flows smoothly and compliantly.

Free HIPAA Checklist
What best describes you?

Never Miss a Post!

Get HIPAA updates delivered to your email inbox.

New-HIPAA-E-Tool-Logo-white

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job® are registered trademarks of ET&C Group LLC.

© 2025 ET&C Group LLC. | All Rights Reserved | Privacy Policy | Terms and Conditions | HTML/XML SItemap | Web Design by JEMSU

Go to Top