Inspera Health


Courtesy of the Department of Health and Human Services


A Privacy Rule Authorization is an individual’s signed permission to allow a covered entity to use or disclose the individual’s protected health information (PHI) that is described in the Authorization for the purpose(s) and to the recipient(s) stated in the Authorization. In contrast, an informed consent document is an individual’s agreement to participate in the research study and includes a description of the study, anticipated risks and/or benefits, and how the confidentiality of records will be protected, among other things. An Authorization can be combined with an informed consent document or other permission to participate in research. If a covered entity obtains or receives a valid Authorization for its use or disclosure of PHI for research, it may use or disclose the PHI for the research, but the use or disclosure must be consistent with the Authorization.

The Authorization must be written in plain language. A copy of the signed Authorization must be provided to the individual signing it if the covered entity itself is seeking the Authorization. The Privacy Rule does not specify who must draft the Authorization, so a researcher could draft one. The Privacy Rule specifies core elements and required statements that must be included in an Authorization. An Authorization is not valid unless it contains all the required elements and statements. An Authorization form may also, but is not required to, include additional, optional elements so long as they are not inconsistent with the required elements and statements and are not otherwise contrary to the Authorization requirements of the Privacy Rule. An Authorization, whether prepared by a covered entity or by a person requesting PHI from a covered entity, must include the following core elements and required statements:

Authorization Core Elements

  • Description of PHI to be used or disclosed (identifying the information in a specific and meaningful manner).
  • The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure.
  • The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure.
  • Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study specific, not for future unspecified research.
  • Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure (the terms “end of the research study” or “none” may be used for research, including for the creation and maintenance of a research database or repository). Signature of the individual and date. If the Authorization is signed by an individual’s personal representative, a description of the representative’s authority to act for the individual.