Is This Authorization Valid?

What You Need to Know Before Granting Requests for Information

Healthcare providers and records departments see many types of requests for health information, from different entities and for different purposes. It is important to have a good understanding of what makes an authorization valid, and to be able to discern if all of the requirements are in place for the document to be considered in compliance with the Privacy Rule. It sounds simple, but as you can see, there are quite a few things to know about the process, and then a few special exceptions to watch out for.

The Core Elements Of A Valid Authorization

The HIPAA privacy rules specifically prohibit healthcare providers (covered entities) and their business associates from disclosing PHI unless they have a valid, written HIPAA authorization that is signed by the patient or the patient’s representative.

An authorization is different from a consent form. To comply with the Privacy Rule it must be a detailed document that contains all of the required core elements:

  1. A meaningful description of the information to be disclosed. For example, this can be records within a certain date range, or related to a certain health event. 
  2. The name of the individual or the name of the person authorized to make the requested disclosure.
  3. The name or other identification (date of birth, social security number) of the recipient of the information.
  4. A description of each purpose of the disclosure. Note that the statement “at the request of the individual” is sufficient when the individual themselves initiates the authorization. Other purposes might be to receive payment or to use information for research. 
  5. An expiration date or an expiration event that relates to the individual. This can be only if a written revocation is sent, or on a specific date in the future. 
  6. A signature of the individual or their personal representative, and the date. This is usually accompanied by an acknowledgement that ensures the individual understands his/her rights under the Privacy Rule. 

It is also important to note that authorizations cannot be combined with any other documents – even though it may be tempting to consolidate paperwork and forms. This is called the “no compound authorizations” requirement.

Required Patient Rights Statements

As well as all of the required elements, an authorization form must contain certain statements that inform the patient of his/her rights under the Privacy Rule.

  • The patient (or their representative) has the right to revoke the authorization at any time. This can be done by submitting a written revocation. 
  • The right to receive medical treatment, regardless of whether the patient authorizes release of records. This is true unless it is a research-related treatment or if the healthcare is for the purpose of employment, such as a physical. 
  • The information disclosed as a result of the authorization can be redisclosed by the recipient and is no longer protected by HIPAA.

Other Requirements

The provider or release of information company also has certain process requirements to follow in order to remain compliant. If these aren’t documented as policy and followed closely, then the entity can get into regulatory compliance trouble as well as incur HIPAA fines.

  • If the authorization is to permit the disclosure of information for marketing purposes – or for the sale of PHI if the provider will receive payment for the PHI – then the authorization must state that the provider will receive compensation.
  • The authorization must be filled out in full – none of the required elements may be left blank. 
  • The authorization must be written in plain language. If the patient has a language or literacy barrier, then the provider must translate the authorization for the patient. 
  • The provider must give the patient or personal representative a signed copy.
  • The provider must retain a copy of the authorization for six years.


There are some situations in which a patient does not have to authorize the release of their records. 

One of these is for treatment, payment, and operations requests (TPO requests). These requests are considered in the best interest of efficient care for the patient. They are allowed under HIPAA Privacy Rules, but should be handled with care, making sure that they meet the correct parameters for a TPO request

In some cases, the government may have the right to access your records without a written authorization. These situations do not require a warrant and are limited to circumstances of investigating a crime or protecting national security.

  • Law enforcement can make requests for information to identify or locate a suspect, fugitive, witness, or missing person. 
  • If there has been a crime committed on the premises of a covered entity and an investigation is underway.
  • In a medical emergency connected to a crime.

With a solid understanding of what is expected under HIPAA Privacy Rules when it comes to valid authorizations, medical records associates can be confident that patient information is being protected. The next time a confusing situation arises, the situation can be made clear by making sure the authorization has all of the required elements, patient rights are protected, clear processes are followed, and any exceptions are noted and followed accordingly. 

The professionals at RecordQuest are knowledgeable and thorough about all types of records requests, fulfilling them quickly and efficiently, at the right level of protection and scrutiny. This knowledge base and attention to detail is what makes us the trusted ROI company for healthcare organizations across the country. For more information, contact us for a consultation and demo.

Recommended Posts

Start typing and press Enter to search

Minors' Access to Medical Records