What is HIPAA Authorization?

Can Google Sheets Be Used with PHI by Healthcare Organizations

A HIPAA authorization is permission given by a patient or plan member that allows a covered entity or business associate to disclose or make use of PHI for a purpose that the HIPAA Privacy Rule would otherwise not permit.

The HIPAA Privacy Rule introduced standards on the permitted uses and disclosures of patient data, which include to whom data may be shared and under what instances Protected Health Information (PHI) may be disclosed. Generally, permitted uses and disclosures of PHI are restricted to treatment, payment, and healthcare operations.

The Rule places restrictions on uses and disclosures the disclosure of PHI for other purposes without prior authorization from patients – termed a HIPAA authorization. Without a HIPAA authorization, using or sharing PHI violates HIPAA Rules and could result in a financial penalty, or in certain cases, criminal charges.

When Should a HIPAA Authorization Be Obtained?

45 CFR §164.508 states the uses and disclosures of PHI where patient or plan member authorization is necessary before data may be shared or used. HIPAA authorization must be secured for:

  • Any use or disclosure of PHI where it is not allowed by the HIPAA Privacy Rule
  • Using or sharing PHI for marketing reasons except if communication takes place one on one between the covered entity and the person, or if the communication entails a promotional gift of minimal value.
  • Use or disclosure of psychotherapy notes besides for particular treatment, bill settlement, or health care operations (45 CFR §164.508(a)(2)(i) and (a)(2)(ii))
  • Use or disclosure of information pertaining to substance abuse and treatment
  • Use or disclosure of PHI in association with research
  • Before PHI can be sold

What Must a HIPAA Authorization Form Include?

A HIPAA authorization is a document detailing, in full, the precise uses and disclosures of PHI.

When a person signs an authorization, he/she is agreeing to have his/her medical data used or disclosed in ways stated on the authorization. The covered entity or business associate can only use or disclose PHI for purposes detailed on the authorization.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The authorization form should be written in simple language to make sure it can be easily understood. The following elements must also be included:

  • Specific and meaningful details, such as a description of the data to be used or disclosed
  • The name of the individual or class of persons permitted to make the requested use or disclosure
  • The name(s) of the individual(s) or group of persons to whom the data is going to be disclosed
  • A brief description of the reason for the requested use or disclosure. In instances where there is no stated purpose, the phrase “at the request of the individual” is enough
  • A particular period of time for the authorization. An expiration date must be included. Regarding uses and disclosures associated with research, the phrase “at the end of the study” may be utilized or “none” for research that entails the creation of a research database or repository
  • The authorizing individual’s signature and date of signing. If an individual’s authorized representative provided the authorization, there must be a description of the individual’s authority to act on behalf of the person.

The following statements should likewise be stated in writing on the HIPAA authorization to inform the person regarding:

    • The right to revoke the HIPAA authorization
    • Exclusions to the right to revoke and a brief description of how that right can be exercised
    • The extent to which the data is incorporated in the notice of privacy practices of the organization
    • The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits by saying:
      • That the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization; or
      • The effects of not signing the authorization when the covered entity is allowed to condition treatment, registration in the health plan, or eligibility for benefits on the inability to get authorization.

The person giving the consent should be provided with a copy of the authorization form for his/her personal records.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/