What is a HIPAA authorisation form?

The HIPAA Privacy Rule (45 CFR §164.508) requires covered entities and their business associates to obtain a valid written authorisation from patients before using or disclosing their protected health information (PHI) for purposes other than treatment, payment, and standard healthcare operations.

An authorisation form is different from a Notice of Privacy Practices (NPP): an NPP informs patients about how their PHI may be used in general; an authorisation form grants explicit permission for a specific use or disclosure that falls outside standard operations — such as sharing records with a third-party researcher, insurer, or employer.

When is a HIPAA authorisation required?

• Releasing patient records to an insurer, employer, or attorney
• Using patient information for research, marketing, or fundraising
• Sharing PHI with a third party not covered by standard treatment/payment/operations purposes
• Disclosing psychotherapy notes (always requires a separate, specific authorisation)
• Disclosures to a patient's family member or friend beyond incidental care communication

Required elements of a valid HIPAA authorisation form

Under 45 CFR §164.508(c), a valid HIPAA authorisation must include all of the following elements:

• Description of the PHI to be used or disclosed, specific enough for the patient to understand
• Name or class of persons authorised to make the disclosure
• Name or class of persons or organisations to whom the disclosure is made
• Description of each purpose of the requested use or disclosure
• Expiration date or event that relates to the individual or the purpose of the use or disclosure
• Statement of the patient's right to revoke the authorisation and how to do so
• Statement that treatment, payment, enrolment, or eligibility for benefits may not be conditioned on the authorisation (if applicable)
• Patient (or personal representative) signature and date

Electronic HIPAA authorisations

The HIPAA Privacy Rule does not require wet (handwritten) signatures on authorisation forms. Electronic signatures are accepted provided they meet the authentication and integrity requirements of HIPAA. This means the signature process must:

• Uniquely identify the signer (not a shared link that anyone could complete)
• Provide a tamper-evident record of what was signed
• Create an audit trail recording who signed, when, and from which device

OTP-verified electronic signatures — where the patient verifies their identity by entering a one-time code sent to their email — satisfy these requirements for most covered entity workflows.

Business Associate Agreements and Docuplete

If you are a covered entity using Docuplete to process PHI, Docuplete acts as a business associate under HIPAA. A Business Associate Agreement (BAA) is required before you may use Docuplete for workflows involving PHI. Contact hello@docuplete.com to request a BAA — it is included with all paid subscriptions.