HIPAA patient authorization is a written permission signed by an individual or the individual’s personal representative that allows a HIPAA Covered Entity or Business Associate to use or disclose the individual’s protected health information for a purpose not otherwise permitted by the HIPAA Privacy Rule, subject to required content elements, signature requirements, and the individual’s right to revoke the authorization in writing.
The HIPAA Privacy Rule permits many routine uses and disclosures of protected health information without authorization for treatment, payment, and health care operations and for certain public interest and benefit activities. Authorization is required when the intended use or disclosure does not fit a permitted category, including many disclosures to third parties for non treatment purposes and certain communications that meet the definition of marketing. Separate authorization requirements also apply to disclosures of psychotherapy notes, except in limited circumstances, and to uses or disclosures involving the sale of protected health information.
A valid authorization must describe the information to be used or disclosed, identify who may use or disclose the information, identify who may receive the information, state the purpose of the disclosure, and include an expiration date or expiration event. The authorization must include statements that the individual may revoke the authorization in writing, that information disclosed under the authorization may be subject to redisclosure by the recipient, and that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on the authorization except in limited situations permitted by the HIPAA Privacy Rule. The authorization must be signed and dated by the individual or personal representative, and when a personal representative signs, the documentation of authority should be addressed through organizational procedures.
Organizations should maintain authorization records as part of required HIPAA documentation and ensure workforce members apply authorization scope limits when releasing information. Revocation applies to future uses and disclosures and does not require retrieval of information already disclosed in reliance on a valid authorization. When vendors handle protected health information as part of an authorized disclosure workflow, Business Associate Agreements and HIPAA Security Rule safeguards apply when the vendor creates, receives, maintains, or transmits electronic protected health information on behalf of the covered entity.