Privacy Authorization to Disclose PHI

Every covered entity that relies on patient authorization as a basis for using or disclosing protected health information (PHI) needs a written authorization form that contains all the elements required under 45 CFR §164.508(c). This template provides a complete, structured form that your team can customize and deploy.

What Is Included

• Individual information fields (name, date of birth, MRN, contact)
• Disclosure source and recipient identification fields
• PHI description section with category checkboxes and date-range fields
• Purpose of use/disclosure field (including “at the request of the individual” option)
• Expiration date or expiration event field
• Required statements: right to revoke, conditioning notice, and redisclosure notice
• Revocation submission section with designated contact fields
• Signature block for individual and personal representative (with authority description field)
• Document header with version, effective date, and review date fields

Who Uses This Form

This template is designed for HIPAA covered entities including medical practices, clinics, hospitals, health systems, and other healthcare providers that obtain patient authorization before using or disclosing PHI. It is also suitable for covered entity health plans and healthcare clearinghouses that rely on patient authorization for specific disclosures.

Regulatory Basis

The HIPAA Privacy Rule at 45 CFR §164.508 establishes when a valid written authorization is required before a covered entity may use or disclose PHI, and specifies the core elements that every authorization must contain. An authorization that omits any required element is not valid under the Rule. This template is structured to include all required elements in 45 CFR §164.508(c)(1) and §164.508(c)(2). State law may impose additional requirements. Review with your privacy officer or legal counsel before finalizing.