By Nikola Philpott

When is a covered entity required to obtain a written authorization for the use and discloser of protected health information? 

According to the U.S. Department of Health and Human Services (HHS), under the Privacy Rule, “a covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.”¹

An Authorization is not required when using or disclosing protected health information “to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.”²

Examples When an Authorization is Required

Disclosures to “a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes.”³

Psychotherapy Notes. An Authorization is required even when used for the treatment of the patient, unless they are used for treatment by the covered entity that originated the notes.  A covered entity may also use or disclose psychotherapy notes without an Authorization for the purpose of “its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner, or as required by law.”⁴

Marketing. An Authorization is required when using or disclosing protected health information for marketing purposes ”except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value.”⁵

Good to Know

»  Date the Authorization was created is not important. A current Authorization – one that has not expired or been revoked by the individual – permits a covered entity to use or disclose specific protected health information as described in the Authorization.  Unless the Authorization specifically limits the information in any other way, the date the information was created is irrelevant.

In other words, it doesn’t matter when the Authorization was signed, as long as the Authorization is still valid and the information to be used or disclosed is identified in the Authorization, the covered entity is authorized to use or disclose the identified protected health information, even if the health information was created after the Authorization was established.6

»  Entire medical records can be released. A covered entity may use or disclose a patient’s entire medical record based on a valid Authorization if that Authorization describes in a “specific and meaningful fashion” the protected health information to be used and disclosed.  “Specific” and “meaningful” refers to statements such as “entire medical record” or “complete patient file.”  General statements, such as “all protected health information” are not generally specific enough and could invalidate an Authorization.7

»  Authorizations can be revoked by an individual. An individual has the right to revoke an Authorization at anytime.  The request for revocation must be submitted in writing and is effective upon receipt by the covered entity.  However, any actions taken by the covered entity on the valid Authorization prior to receipt are not effected by the revocation.8 

»  Copy of Authorizations are acceptable. A signed Authorization is valid for the use or disclosure of protected health information regardless if the covered entity receives the original or a copy, to include copies by facsimile or electronic transmission.9

»  Authorizations and Health Care Powers of Attorney are not the same thing. The manor in which a person is granted power of attorney for health care decisions is not affected by the Privacy Rule.  A Health Care Power of Attorney gives the designated person legal authority to make treatment decisions related to an individual or exercise the rights of that individual, while an Authorization allows a person or entity to use or disclose the individual’s protected health information.10


Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.508 – Uses and disclosures for which an authorization is required

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,”, accessed August 22, 2012,

2. “Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?”, last modified August 8, 2005,

3-5. Summary of the HIPAA Privacy Rule,”, accessed August 22, 2012,

6. “May a covered entity disclose protected health information specified in an Authorization, even if that information was created after the Authorization was signed?”, last modified August 8, 2005,

7. “May a covered entity use or disclose a patient’s entire medical record based on the patient’s signed Authorization?”, last modified August 8, 2005,

8. “Can an individual revoke his or her Authorization?”, August 8, 2005,

9. “Is a copy, facsimile, or electronically transmitted version of a signed Authorization valid under the Privacy Rule?”, accessed August 22, 2012,

10. “Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?”, last modified March 14, 2006,