How to Obtain Patient Authorization Under HIPAA

How to Obtain Patient Authorization


In this article you will learn about the scenarios in which a patient authorization form is required under the privacy rule before a disclosure is made. Included are examples of disclosures from hospitals and insurance companies, as well as guidance for special circumstances, such as marketing and research.

Section 1. Disclosure Authorization Language

There are many more situations in which an authorization is required by law. A patient authorization form must be obtained from the patient for PHI to be shared for any reasons other than TPO and the other exemptions.

The authorization form must contain specific and clear language to ensure the patient is fully aware of what they are agreeing to. It is permissible to combine the patient authorization with existing informed consent documents, provided the sections regarding the privacy rule are clearly differentiated and contain all components required by law.

Authorization forms under the HIPAA privacy rule should include the following components:

  • The covered entity is responsible for providing the authorization form and obtaining the patient's signature.
  • The language used in the form should be easily understood, optimally written at an eighth grade level.
  • The authorization must clearly state who the disclosure will be made to, and for what purposes.
  • An expiration date
  • In the case of research, the authorization must state how the patient's health information will be used in the study, and what parties it will be shared with.
  • A notice must be included that allows the patient to revoke the authorization at any time by submitting a written request. There should be clear instructions for accomplishing this, including listing the facility address and the name of the individual the revocation request should be submitted to.
  • The form must provide a signature block for the patient to sign their approval.

Along with presenting the form to the patient with other intake paperwork, it is recommended to explain a bit about the privacy rule to ensure comprehension. The patient should clearly understand that the information collected will be used by the covered entity, and possibly its business associates.

Section 2. Special Cases - Psychotherapy Notes

Psychotherapy is a very sensitive medical specialty, thus there should be particular attention given to disclosing the private health information of patients. HIPAA addresses this scenario separately, to highlight its importance.

According to the privacy rule, covered entities must retain a patient authorization before using or disclosing psychotherapy notes and patient observations. The patient must be fully aware of the means in which their health information will be used, and either they, or their legal representative, must sign the authorization form.

There are however, some instances in which patient health information can legally be used or disclosed to a third party without notice to the patient, or acquiring an authorization form. These scenarios are as follows:

  • The notes may be used within the practice for the assessment, diagnosis, and treatment of the patient.
  • The notes may be used by the covered entity to train its staff.
  • The notes may be used by the covered entity to defend itself against legal action from the patient.
  • The notes may be released to the U.S.Department of Health and Human Services in compliance with a HIPAA audit or investigation.
  • The notes may be released in the event of a potential threat to the public.
  • The psychotherapy notes may be released to agencies that provide oversight of therapists, in order to gauge their effectiveness.
  • The information may also be released in the event of death to a coroner or medical examiner.

Section 3. Special Cases - Marketing

Marketing is another area where special caution is warranted. Consumers are bombarded with advertising, and they are especially adverse to advertisers obtaining their personal information and using it to tailor offers to appeal to them directly.

For this reason, a patient authorization is required before a covered entity may send advertisements to the patient, and also before disclosing the patient's personal information to a third party who intends to use it for advertising purposes.

Defining Marketing

The privacy rule defines marketing as:

"Any communication about a product or service that encourages recipients to purchase or use the product or service."

However, as with most categories outlined in the privacy rule, there are exceptions and scenarios in which an authorization is not necessary.

The exceptions are so, because they are deemed "health related" and include:
  • Patients may be enrolled in a benefit plan sponsored by the covered entity. In this case, any communications that describe products or services available to members is permissible. This includes communications advertising the products, as well as soliciting payment.
  • Health plan updates and enhancements, listings of new participating providers and additional special member benefits are all approved communications under the privacy rule.
  • Communications that relay information about products and services specific to the treatment of the patient.
  • Communications regarding coordination of care and case management, including a specialist's referrals, alternative treatment options, and additional medical facilities that may benefit the patient based on their diagnosis and treatment plan.

It is common practice for companies to solicit information about patients or consumers from one another in an effort to market their products and services to a new population. Under the privacy rule, a covered entity must obtain patient authorization prior to releasing their information to a third party for marketing purposes.

In addition, if a covered entity sends advertisements for which they received payment from a sponsor, this must also be disclosed, as the advertisement may be seen as an endorsement and it should be clear that money has changed hands. The one exception is promotional gifts that are supplied to the covered entity, but are of little monetary value. These do not require disclosure.

The above restrictions on marketing safeguard the patient's private health information, and also protects them from a bombardment of unsolicited advertising. Under the privacy rule it is illegal for a covered entity to sell patient data, mailing lists with patient's names and addresses, etc. Again, any marketing disclosures not covered under the privacy rule require a signed authorization before they can be carried out by the covered entity or its business associates.

Section 4. Examples of Legitimate Disclosures

Interested in learning more? Why not take an online HIPAA Compliance course?

To solidify the theories regarding when an authorization is required, review the examples below. They are realistic scenarios from various health-related facilities and provide practical insight into the application of patient authorizations.

Below are scenarios that do not require an authorization:

A physician notifying patients by mail of a new office location or additional specialty offered. General practice administrative outreach is exempt from requiring an authorization.

A pharmacy sending a notification refill reminder to patients, even if it is paid for by the pharmaceutical company (this is irrelevant, as it falls under patient treatment for an existing condition).

A hospital or clinic provides communications regarding health seminars, which do not promote a specific product or service. General health information does not require an authorization.

A health plan sends to its members via mail a special discount opportunity to join a fitness club. This is allowed because it is a health-related service exclusive to plan members.

The following are scenarios that definitely require an authorization:

  • A hospital sells its list of mothers who gave birth at their hospital to photographic studios. This would require authorization from the mothers before the hospital could sell its list of names of patients to the photographic studio for the studio's own independent marketing uses.

· A teleservices company is hired by a hospital to encourage former patients who previously donated blood to donate again.
The hospital will need to obtain prior authorizations from the individuals because their names and related data is protected health information and the purpose for using the information - procurement of blood donations - does not constitute "treatment." The teleservices company will need to enter into a business associate contract because the hospital is disclosing to it names of patients, which is data that constitutes protected health information.

· A health plan sends its customer a newsletter that includes ads for a pharmaceutical company's blood pressure drug.
This would require the health plan customer to give authorization because it constitutes use of protected health information for a communication that encourages recipients to use a product.

Food for Thought

What are your opinions about the authorization process?
Do you think there are enough safeguards around the patient's information, or do covered entities enjoy too much latitude in using and transmitting PHI?


The authorization of disclosure is a critical component of the privacy rule and requires a great amount of attention when drafting the document. A covered entity must ensure that its staff and business associates have a thorough understanding of what scenarios constitute a need for patient authorization, and which do not.

Understanding "Minimum Necessary"


In this article, we will examine the term "minimum necessary," as defined by HIPAA.

Also covered is the importance of creating standard processes for anticipated disclosures, as well as for the review of non-routine requests.

Section 1. Defining "Minimum Necessary"

Patient records contain a slew of information. Included may be data on the patient, their illness, family history, employer, spouse, children, past procedures, etc. When the patient is referred to another covered entity, it is usually not necessary that all of this information be disclosed, as some of it is not relevant to the referral.

This may also be the case for a primary doctor or facility. The intake forms may request information that is irrelevant to the reason for the patient's visit, or that is not necessary for the doctor to treat the patient, maintain health care operations, and bill for services.

This is where minimum necessary comes into play. According to the privacy rule:

"A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure."

To accomplish this, a covered entity needs to develop internal processes and policies around what its employees collect and disclose to ensure it meets the "minimum necessary" requirement. Best practices must also be developed to regulate the sharing of information with other parties to ensure that HIPAA guidelines are met.

As part of minimal necessary guidelines, a covered entity must refrain from sending out a patient's entire medical record when responding to a disclosure. The only exception is when the covered entity can justify that the patient's entire record was required to meet the purposes of the request, and therefore adheres to minimum necessary guidelines.

Before examining the practical application of minimum necessary guidelines, let's take a look at the exemptions. The following scenarios are not regulated by the minimum necessary provision of the privacy rule:

  • Disclosures to, or a request by, a health care provider for treatment
  • Disclosure to the individual who is the subject of the treatment or their authorized representative
  • Use or disclosure for which there is a valid patient authorization on file
  • Disclosure to the Department of Health and Human Services for the investigation of a complaint, compliance checks, or enforcement procedures
  • Any disclosures required by law
  • Any use or disclosure required for compliance with the HIPAA Transactions Rule, or other provisions in the Administration Simplification Rules

Section 2. Developing Procedures for the Internal Use and Access to PHI

Prior to the implementation of HIPAA, there were no real restrictions regarding access to patient information within a practice or facility. Patient records may have been left unsecured, and often the duties of personnel overlapped, causing occasional direct access to PHI, even though it was not within the scope of their position.

Also, under the "minimum necessary" guidelines, even medical personnel who are authorized to view protected health information should only do so when absolutely required and only the information necessary for them to carry out their duties.

In order to accomplish this, HIPAA dictates that a covered entity must develop and implement procedures to identify each person's role and what information they require access to in order to fulfill their job duties.

The following should be a part of the process when developing minimum necessary procedures:

  • Identify each role or job classification in the facility, outlining the associated job duties.
  • Identify which roles require access to patient information and the frequency/amount of that access.
  • For roles that do not require access to protected health information, put restrictions in place to ensure that they cannot access the data. This may include computer password restrictions, moving their desk to an area away from patient records, etc.
  • For employees that require only occasional access to PHI, consider transitioning those minimal duties to a role that deals with PHI as a routine part of their job.

To illustrate minimum necessary in action, let's use the example of a clinical laboratory. Patients are sent in by their physicians to get their blood drawn and tested. They present the laboratory personnel with a requisition from the doctor that contains the following information:

  • Patient's name
  • Address
  • DOB
  • Social Security Number
  • Insurance ID number
  • Spouse's name, if covered under their plan
  • Test to be ordered
  • Diagnosis code indicating the reason for the test

All of this information is necessary for the laboratory to process the patient's specimen and bill their insurance plan, so it is allowable for it to be collected under the HIPAA privacy rule. However, everyone in the laboratory does not require access to ALL of the patient's personal health information. The breakdown of access based on job duties might look like this:

  • The front desk/intake staff: They are responsible for the intake process and ensuring that all paperwork is filled out correctly for identification and billing purposes. Under minimum necessary, they would have access to all of the information mentioned above, but should not have access to the patient's actual test results. The results can either be submitted directly to the doctor electronically, or given to the patient in a sealed envelope that has minimal information on the front for identification purposes (name, dob, ordering physician, requisition number).
  • Phlebotomist: The individuals who draw the blood would likewise need access to the patient's demographic information, as well procedure codes, etc. The phlebotomist usually verifies the patient information on the requisition a second time and uses the data to generate the identification labels that are wrapped around the vials of blood, therefore they require access to PHI to complete their job duties. However, they are not responsible for generating and reading the results of the tests, so they should NOT have access to the results system.
  • Couriers/logistics personnel: The laboratory drivers are responsible for driving a route daily on which they pick up specimens (with attached requisitions) from various medical facilities. As the driver has no responsibility for logging the patient information on arrival, testing the specimen or reading the results, their access to PHI should be restricted.
An easy way to do this is to place an adhesive seal on the specimen bags, sealing them once the nurse placed the specimen inside (hiding the requisition from view). You would be able to tell if the seal was broken prior to the specimen reaching the lab, thus providing reasonable security against a PHI breach. If the current specimen bags being used are clear plastic, switching to an opaque-colored bag would solve that problem.

In each of these cases, any changes made to comply with minimum necessary guidelines should be documented and staff training provided to ensure that everyone is abreast of the changes. If required, technical changes should be implemented, such as changing access to restricted areas or changing computer system access to so that employees only have the ability to enter screens that apply to their job and limit the unneeded exposure of PHI.

Section 3. Establishing Processes for the Review of Recurring and Non-Routine Disclosures

As a health care provider, it is necessary in the normal course of business that disclosures will be required; however, they must be limited to other covered entities, business associates, and circumstances that are clearly outlined in the privacy rule.

As part of developing HIPAA procedures, a covered entity must catalogue the types of disclosures that routinely occur. Once categorized, a standard process must be developed for each scenario that adheres to the privacy rule and enforces minimum necessary guidelines.

In addition, a policy must be drafted to address non-routine requests for disclosure. These are disclosure requests that occur so infrequently that they cannot be anticipated, and developing a process around every one-off situation is simply not feasible. Instead, the covered entity develops a general process for the review of all non-routine disclosures not covered in the examples laid out in the privacy rule. Each non-routine disclosure request is to be evaluated individually, and every effort made to ensure minimum necessary standards are met.

Section 4. Reasonable Reliance

When a covered entity receives a request for disclosure from another health care provider, the "reasonable reliance" rule allows them to assume that the information requested by another covered entity conforms to minimum necessary standards. As long as there is a valid written authorization on file from the patient, then the information can be released.

Additional individuals for which reasonable reliance can be assumed for include:

  • Public officials
  • Business associates of covered entities, such as a lawyer
  • A researcher who furnishes proper documentation

Food for Thought

Do you think that many health care facilities had documented disclosure processes prior to HIPAA?
Do you feel that the minimum necessary guideline might hamper the timely transfer of information necessary to treat the patient and other health care-related tasks?


Under the privacy rule, stringent internal guidelines must be developed and implemented in all health care facilities to regulate the disclosure of protected health information. Also, of the information that is disclosed, reasonable efforts must be made to ensure that the minimum amount of data necessary has been released.