HIPAA: Disclosure Authorization Language

Obtaining Patient Authorization

Section 1. Disclosure Authorization Language

There are many situations in which an authorization is required by law. A patient authorization form must be obtained from the patient for PHI to be shared for any reasons other than TPO and the other exemptions mentioned in the last lesson.

The authorization form must contain specific and clear language to ensure the patient is fully aware of what they are agreeing to. It is permissible to combine the patient authorization with existing informed consent documents, provided the sections regarding the privacy rule are clearly differentiated and contain all components required by law.

Authorization forms under the HIPAA privacy rule should include the following components:

  • The covered entity is responsible for providing the authorization form and obtaining the patient's signature.
  • The language used in the form should be easily understood, optimally written at an eighth grade level.
  • The authorization must clearly state who the disclosure will be made to, and for what purposes.
  • An expiration date
  • In the case of research, the authorization must state how the patient's health information will be used in the study, and what parties it will be shared with.
  • A notice must be included that allows the patient to revoke the authorization at any time by submitting a written request. There should be clear instructions for accomplishing this, including listing the facility address and the name of the individual the revocation request should be submitted to.
  • The form must provide a signature block for the patient to sign their approval.

Along with presenting the form to the patient with other intake paperwork, it is recommended to explain a bit about the privacy rule to ensure comprehension. The patient should clearly understand that the information collected will be used by the covered entity, and possibly its business associates.

Section 2. Special Cases - Psychotherapy Notes

Psychotherapy is a very sensitive medical specialty, thus there should be particular attention given to disclosing the private health information of patients. HIPAA addresses this scenario separately, to highlight its importance.

According to the privacy rule, covered entities must retain a patient authorization before using or disclosing psychotherapy notes and patient observations. The patient must be fully aware of the means in which their health information will be used, and either they, or their legal representative, must sign the authorization form.

There are however, some instances in which patient health information can legally be used or disclosed to a third party without notice to the patient, or acquiring an authorization form. These scenarios are as follows:

  • The notes may be used within the practice for the assessment, diagnosis, and treatment of the patient.
  • The notes may be used by the covered entity to train its staff.
  • The notes may be used by the covered entity to defend itself against legal action from the patient.
  • The notes may be released to the U.S.Department of Health and Human Services in compliance with a HIPAA audit or investigation.
  • The notes may be released in the event of a potential threat to the public.
  • The psychotherapy notes may be released to agencies that provide oversight of therapists, in order to gauge their effectiveness.
  • The information may also be released in the event of death to a coroner or medical examiner.

Section 3. Special Cases - Marketing

Marketing is another area where special caution is warranted. Consumers are bombarded with advertising, and they are especially adverse to advertisers obtaining their personal information and using it to tailor offers to appeal to them directly.

Interested in learning more? Why not take an online HIPAA Compliance course?

For this reason, a patient authorization is required before a covered entity may send advertisements to the patient, and also before disclosing the patient's personal information to a third party who intends to use it for advertising purposes.

Defining Marketing

The privacy rule defines marketing as:

"Any communication about a product or service that encourages recipients to purchase or use the product or service."

However, as with most categories outlined in the privacy rule, there are exceptions and scenarios in which an authorization is not necessary.

The exceptions are so, because they are deemed "health related" and include:
  • Patients may be enrolled in a benefit plan sponsored by the covered entity. In this case, any communications that describe products or services available to members is permissible. This includes communications advertising the products, as well as soliciting payment.
  • Health plan updates and enhancements, listings of new participating providers and additional special member benefits are all approved communications under the privacy rule.
  • Communications that relay information about products and services specific to the treatment of the patient.
  • Communications regarding coordination of care and case management, including a specialist's referrals, alternative treatment options, and additional medical facilities that may benefit the patient based on their diagnosis and treatment plan.

It is common practice for companies to solicit information about patients or consumers from one another in an effort to market their products and services to a new population. Under the privacy rule, a covered entity must obtain patient authorization prior to releasing their information to a third party for marketing purposes.

In addition, if a covered entity sends advertisements for which they received payment from a sponsor, this must also be disclosed, as the advertisement may be seen as an endorsement and it should be clear that money has changed hands. The one exception is promotional gifts that are supplied to the covered entity, but are of little monetary value. These do not require disclosure.

The above restrictions on marketing safeguard the patient's private health information, and also protects them from a bombardment of unsolicited advertising. Under the privacy rule it is illegal for a covered entity to sell patient data, mailing lists with patient's names and addresses, etc. Again, any marketing disclosures not covered under the privacy rule require a signed authorization before they can be carried out by the covered entity or its business associates.

Section 4. Examples of Legitimate Disclosures

To solidify the theories regarding when an authorization is required, review the examples below. They are realistic scenarios from various health-related facilities and provide practical insight into the application of patient authorizations.

Below are scenarios that do not require an authorization:

A physician notifying patients by mail of a new office location or additional specialty offered. General practice administrative outreach is exempt from requiring an authorization.

A pharmacy sending a notification refill reminder to patients, even if it is paid for by the pharmaceutical company (this is irrelevant, as it falls under patient treatment for an existing condition).

A hospital or clinic provides communications regarding health seminars, which do not promote a specific product or service. General health information does not require an authorization.

A health plan sends to its members via mail a special discount opportunity to join a fitness club. This is allowed because it is a health-related service exclusive to plan members.

The following are scenarios that definitely require an authorization:

  • A hospital sells its list of mothers who gave birth at their hospital to photographic studios. This would require authorization from the mothers before the hospital could sell its list of names of patients to the photographic studio for the studio's own independent marketing uses.

· A teleservices company is hired by a hospital to encourage former patients who previously donated blood to donate again.
The hospital will need to obtain prior authorizations from the individuals because their names and related data is protected health information and the purpose for using the information - procurement of blood donations - does not constitute "treatment." The teleservices company will need to enter into a business associate contract because the hospital is disclosing to it names of patients, which is data that constitutes protected health information.

· A health plan sends its customer a newsletter that includes ads for a pharmaceutical company's blood pressure drug.
This would require the health plan customer to give authorization because it constitutes use of protected health information for a communication that encourages recipients to use a product.

Food for Thought

What are your opinions about the authorization process?
Do you think there are enough safeguards around the patient's information, or do covered entities enjoy too much latitude in using and transmitting PHI?


The authorization of disclosure is a critical component of the privacy rule and requires a great amount of attention when drafting the document. A covered entity must ensure that its staff and business associates have a thorough understanding of what scenarios constitute a need for patient authorization, and which do not.