Outline of this section:

1. Language from Federal Rule

2. Sample Form

3. Reminder about "minimum necessary" disclosure.

Prepared by M.P. Dunlap & B. McDowell for HIPAA Training


Introduction to 

AUTHORIZATION- a customized document that gives covered entities permission to use specified Protected Health Information (PHI) for specified purposes, which are generally other than Treatment, Payment, and health care operations (TPO), or to disclose PHI to a third party specified by the individual.  Authorizations should not be construed to waive, directly or indirectly, any privilege granted under federal, state, or local laws or procedures.

  1. Covered entity (CE) may not condition treatment or coverage on the provision of an authorization
  2. More detailed and specific than a consent.
  3. Only covers PHI stipulated in the authorization, which has an expiration date and may contain the stated purpose for disclosure of the information.
  4. For any purpose not otherwise permitted or required by the HIPAA Rule.
  5. Not required for disclosures to carry out Treatment, Payment, and Healthcare Operations
  6. Any use or disclosure inconsistent with authorization constitutes a violation of the rule
  7. Must have Core elements and required statements to be valid; can contain additional elements if they are consistent with required elements.
  8. Authorization does not require CE to disclose information pursuant to an individual’s Authorization. It allows permission.


Per Federal Register/ Vol 67, No. 157, / Wednesday, August 14, 2002/ Rules and Regulations


(53269- 53270 )

c) Implementation specifications:

Core elements and requirements.—(1)

Core elements. A valid authorization under this section must contain at least the following elements:

i) A description of the information used or disclosed that identifies the information in a specific and meaningful fashion.

ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

(iv) A description of each purpose of the requested use or disclosure. The statement ‘‘at the request of the individual’’ is a sufficient description the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement ‘‘end of the research study,’’ ‘‘none,’’ or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.

(vi) Signature of the individual and date. If the authorization is signed by personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.


(2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

(i) The individual’s right to revoke the authorization in writing, and either:

(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or

(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by 164.520, a reference to the covered entity’s notice.

(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:

(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or

(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.

(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.

(3) Plain language requirement. The authorization must be written in plain language.

(4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. Per Federal Register/ Vol 67, No. 157, / Wednesday, August 14, 2002/ Rules and Regulations

Psychotherapy notes:  (p 53268)


(2) Authorization required:

psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in 164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:

(i) To carry out the following treatment, payment, or health care operations:

(A)   Use by the originator of the psychotherapy notes for treatment;

(B)    Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or

Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and (ii) A use or disclosure that is required by 164.502(a)(2)(ii) or permitted by 164.512(a); 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; 164.512(g)(1); or 164.512(j)(1)(i).

Sample Form:



I authorize:
to use and disclose the specific protected health information described below


regarding: _________________________________________Date of Birth:____________________________


 as is necessary to: __ release information to, and/or  ___ receive information from:






address                                                                   city/ state                                           (phone)

The information to be used or disclosed includes:                            



Social, medical or psychological reports.



Medications used in treatment.               



Treatment goals and results.                 



Information about drug and/or alcohol abuse or treatment



Court or probation records








This information disclosure is necessary for the following purpose(s): …………………………………..



Diagnosis and evaluation.



Treatment planning.                         



To facilitate treatment.                         









If we are requesting this Authorization from you for our own use and disclosure or to allow another health care professional or health care entity to disclose information to us: (1) We cannot deny our services or treatment to you if you refuse to make this signed authorization; (2) You have the right to inspect a copy of the protected health information to be used or disclosed; (3) You may refuse to sign this Authorization; and (4) We must provide you with a copy of the signed authorization. You have the right to revoke this Authorization at any time, provided that you do so in writing and except to the extent that we have already used or disclosed the information in reliance on this Authorization. Unless revoked earlier or otherwise indicated, this Authorization will expire 180 days from the date of signing or shall remain in effect for the period reasonably needed to complete the request.

By signing this Authorization, you may be directing us to disclose your health information to a person or organization that does not have the same obligations to protect privacy required of health care practitioners, health plans and other health care entities observe under state and federal law. The disclosure of the information specified above may carry with it the potential for unauthorized disclosure of your protected health information and loss of protection under state and federal law.

You may request that we require the recipient of your protected health information to sign a Confidentiality Agreement in which the recipient agrees to limit its use and disclosure of your information as specified by the Confidentiality Agreement. If the intended recipient refuses to sign the confidentiality agreement you request, we will not release the information.

_______ (Your Initials) I request that the recipient of the information identified above for disclosure sign a Confidentiality Agreement.


_______  (Your Initials) I understand that my alcohol and/or drug treatment records are protected under federal and state regulations (42 CFR Part 2 and ORS 430.399(5), 179.505) governing Confidentiality of Alcohol and Drug Abuse Patient Records, and cannot be disclosed without my written authorization unless otherwise provided for in the regulations. I also understand that I may revoke this authorization in writing at any time except to the extent that action has been taken in reliance on it, and that in any


event this authorization expires automatically as follows:  ________________________________________________________________________________

(Specify the date, event, or condition upon which the Authorization expires)


I have reviewed this Authorization and I understand it. I understand that the information used or disclosed under this Authorization may be subject to re-disclosure by the recipient and may no longer be protected under federal privacy law.


_____________________________       ______________________________________        _________

   Client/patient                   (or) legal representative & legal representative’s authority                               Date



_________________________________  Reminder Note! _________________________ 

Definition of “Minimum Necessary” According To HIPAA

Below, you will find direct quotes from the Privacy Rule concerning the “minimum necessary” amount of information to release.  Here are the highlights:  1) When you release protected information, make reasonable efforts to limit it to the minimum; 2) You must have “policies and procedures” concerning the “minimum necessary” standard; 3) The covered entity who holds the information always retains discretion to make its own minimum necessary determination.

Federal Register / Vol. 67, No. 157 / Wednesday, August 14, 2002 / Rules and Regulations

2. Minimum Necessary Standard  (pp. 53195-96 Bold emphases added)

December 2000 Privacy Rule. The Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.

See 164.502(b). Protected health information includes individually identifiable health information (with limited exceptions) in any form, including information transmitted orally, or in written or electronic form….

The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to, and disclosures of, protected health information…

The Privacy Rule contains some exceptions to the minimum necessary standard. The minimum necessary requirements do not apply to uses or disclosures that are required by law, disclosures made to the individual or pursuant to an authorization initiated by the individual, disclosures to or requests by a health care provider for treatment purposes, uses or disclosures that are required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA, or disclosures to the Secretary of HHS for purposes of enforcing this Rule. See 164.502(b)(2).

The Privacy Rule sets forth requirements for implementing the minimum necessary standard with regard to a covered entity’s uses, disclosures, and requests at 164.514(d). A covered entity is required to develop and implement policies and procedures appropriate to the entity’s business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested. For uses of protected health information, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and the conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols. …


Additionally, in response to those commenters who raised specific concerns with respect to authorizations which request release of psychotherapy notes, the Department clarifies that the final Rule does not require a covered entity to use and disclose protected health information pursuant to an authorization. Rather, as with most other uses and disclosures under the Privacy Rule, this is only a permissible use or disclosure. If a covered health care provider is concerned that a request for an individual’s psychotherapy notes is not warranted or is excessive, the provider may consult with the individual to determine whether or not the authorization is consistent with the individual’s wishes.

Further, the Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual’s authorization to use or disclose psychotherapy notes. Nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. Thus, the Department believes that these additional protections appropriately and effectively protect an individual’s privacy with respect to psychotherapy notes.


With respect to disclosures to another covered entity, the Privacy Rule permits a covered entity reasonably to rely on another covered entity’s request for protected health information as the minimum necessary for the intended disclosure. See 164.514(d)(3)(iii). The Department does not believe, therefore, that a blanket exception for such disclosures is justified. The covered entity who holds the information always retains discretion to make its own minimum necessary determination.  (p. 53197)