A HIPAA authorization is a written document that gives a healthcare provider, health plan, or other covered entity your permission to use or share your protected health information for purposes beyond routine care, billing, or healthcare operations. Without this signed form, these organizations are legally prohibited from disclosing your medical records for most non-routine purposes. It’s one of the primary ways you control who sees your health data and why.
How It Works in Practice
Your doctors, hospitals, and health insurers already have broad permission under HIPAA’s Privacy Rule to share your information for three core functions: treating you, getting paid for your care, and running their operations. These everyday uses don’t require your authorization. But when someone wants your health information for a reason that falls outside those three categories, they need your explicit, written approval through a HIPAA authorization form.
Common situations where you’d sign one include releasing your medical records to a life insurance company, allowing a provider to share your information for a marketing purpose, permitting a lawyer to access your records for a legal case, or letting a family member handle your health information on your behalf. The authorization puts you in the driver’s seat: you decide what gets shared, with whom, and for how long.
What the Form Must Include
A HIPAA authorization isn’t just any signature on any piece of paper. The Privacy Rule requires specific elements for the form to be legally valid. Every authorization must contain:
- A meaningful description of the information being disclosed, so you know exactly what’s being shared
- Who is disclosing the information (the provider or entity releasing your records)
- Who will receive it (the person, company, or organization getting your data)
- The purpose of the disclosure (though simply stating “at the request of the individual” is sufficient if you initiated the authorization yourself)
- An expiration date or expiration event so the permission doesn’t last forever
- Your signature and the date, or the signature of someone legally authorized to make healthcare decisions on your behalf
The form must also be written in plain language. If an authorization is missing any of these core elements, it’s not valid under federal law, and a covered entity cannot rely on it to share your information.
How Expiration Dates Work
Every authorization needs a defined endpoint. This can be a specific calendar date, like “one year from the date signed,” or it can be tied to an event relevant to your situation, such as “upon termination of enrollment in the health plan” or “when the minor reaches the age of majority.” The authorization stays in effect until that date or event arrives, unless you revoke it in writing before then.
One nuance worth knowing: your state may have stricter time limits on how long an authorization can remain active. If your state law is more restrictive than the federal rule, the state law controls how long the authorization is effective, even if the expiration date on the form is further out.
Authorization vs. Consent
These two terms get confused constantly, but they serve different legal functions under HIPAA. Consent is an optional, general document that a provider may (but isn’t required to) ask you to sign, covering routine uses of your information for treatment, payment, and operations. Providers have complete discretion over whether they use a consent process and how they design it.
An authorization is more specific and more formal. It’s required by law whenever someone wants to use your health information for purposes that fall outside routine care and billing. It must contain all the elements listed above. A general consent form, no matter how willingly you signed it, does not satisfy the legal requirements of an authorization. If the Privacy Rule demands an authorization, only a document meeting the full authorization standard will do.
Situations That Always Require Authorization
Certain types of disclosures carry mandatory authorization requirements with almost no exceptions. Psychotherapy notes receive the strongest protections under HIPAA. These are the personal notes a mental health professional writes during or after a counseling session, kept separate from the rest of your medical record. Sharing psychotherapy notes requires your authorization even when the purpose is treatment by another provider. This is a higher bar than nearly any other type of health information.
Marketing is another area where authorization is strictly required. If a covered entity wants to use your health information to send you communications promoting a product or service, they generally need your signed authorization first. The same applies to any sale of your protected health information.
Beyond these mandatory cases, any disclosure that doesn’t fit neatly into the categories the Privacy Rule already permits (like public health reporting, law enforcement requests with proper legal process, or certain research activities with institutional oversight) will require your authorization.
Your Right to Refuse or Revoke
You are almost never required to sign an authorization. With very limited exceptions, a covered entity cannot condition your treatment, payment, enrollment in a health plan, or benefits eligibility on whether you grant an authorization. If a provider tells you they won’t see you unless you sign an authorization releasing your records to a third party unrelated to your care, that’s generally not permitted.
You also have the right to revoke any authorization you’ve previously signed, as long as you do so in writing. Once you revoke it, the covered entity can no longer make new disclosures based on that authorization. However, any information already shared before your revocation can’t be “unshared.” The revocation only stops future disclosures.
Reproductive Health Care Protections
In April 2024, HHS finalized a rule adding new protections specifically around reproductive health care information. The rule was designed to prohibit covered entities from disclosing protected health information for the purpose of investigating or imposing liability on someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. Under this rule, when a covered entity receives a request for health information potentially related to reproductive care for purposes like law enforcement, judicial proceedings, or health oversight, the requester must sign an attestation confirming the request is not for a prohibited purpose.
However, in June 2025, a federal court in Texas vacated most of this rule. Some modifications to privacy practice notice requirements remain in effect, with compliance required by February 2026, but the broader reproductive health protections are currently not enforceable. This area of law remains in flux, so the protections available to you may depend on when you’re reading this and whether further legal developments have occurred.