Elements of a Valid Authorization
Under 45 CFR § 164.508, a valid HIPAA authorization must contain:
- A description of the information to be used or disclosed
- The name of the person or entity authorized to make the disclosure
- The name of the person or entity to whom the disclosure will be made
- A description of the purpose of the disclosure
- An expiration date or expiration event
- The individual's signature and date
- If signed by a personal representative, a description of their authority
Required Statements
The authorization must also include statements about:
- The individual's right to revoke the authorization in writing
- Whether treatment or payment is conditioned on the authorization
- The potential for re-disclosure by the recipient
Common Reasons for Rejection
- Authorization is expired
- Patient signature is missing
- Provider name doesn't match the practice on file
- Authorization is too vague (no date range or record type specified)
- Authorization has been revoked by the patient
For complete privacy regulations, see our Privacy Policy.