Privacy Authorization to Use or Disclose PHI

Privacy Authorization to Use or Disclose PHI

$47.00

The Privacy Authorization to use or Disclose PHI is a professionally drafted HIPAA authorization form template that satisfies all required-element and required-statement standards at 45 CFR 164.508(c). Covers standard PHI categories plus sensitive categories — mental health records, HIV/AIDS-related information, and SUD treatment records — each with built-in legal guidance notes. Includes a fully compliant revocation statement with both exceptions under 45 CFR 164.508(b)(5). Ready to customize with your organization name and contact information.

This template is also included in Privacy Bundle, Compliance Essentials and Program in a Box.

Out of stock

Categories: ,

Description

Privacy Authorization to Use or Disclose PHI

HIPAA-Compliant Patient Authorization Form Template | 45 CFR §164.508(c)

Every covered entity that relies on privacy authorization to use or disclose PHI needs a written authorization form that contains all the elements and statements required under 45 CFR §164.508(c). This template provides a complete, structured form with built-in legal guidance for sensitive PHI categories that carry requirements beyond standard HIPAA.

What Is Included

  • Individual information fields (name, date of birth, MRN, contact)
  • Disclosure source and recipient identification fields
  • PHI category checkboxes with date-range fields, covering:
    • All PHI (general medical records)
    • Medical record (clinical notes, diagnoses, treatment)
    • Billing/insurance records
    • Imaging reports/films
    • Laboratory results
    • Medication list
    • Mental health records (with state-law guidance note)
    • HIV/AIDS-related information (with state confidentiality statute guidance note)
    • Substance use disorder treatment records (with 42 CFR Part 2 guidance note)
    • Other (describe)
  • Purpose of use/disclosure field (including “at the request of the individual” option)
  • Expiration date or expiration event field
  • Required statements per 45 CFR §164.508(c)(2):
    • Right to revoke, including how to submit a revocation and both exceptions under 45 CFR §164.508(b)(5) (prior reliance and insurance coverage)
    • Conditioning notice
    • Redisclosure notice
  • Revocation submission section with designated contact fields (Section 9)
  • Signature block for individual and personal representative (with authority description field)
  • Privacy Office validation addendum for internal use
  • Document header with version, effective date, and review date fields

Sensitive Category Guidance Notes

Mental health records, HIV/AIDS-related information, and substance use disorder records each carry legal requirements beyond HIPAA. The template includes a plain-language guidance note under each of these three checkboxes:

  • Mental health records: Many states impose protections stricter than HIPAA and require specific consent language or separate forms. The note directs users to verify state law before relying solely on this authorization.
  • HIV/AIDS-related information: Most states have HIV confidentiality statutes with mandatory disclosure language that supersede a general HIPAA authorization. The note directs users to verify state requirements and confirms this form does not substitute for a state-required HIV consent form.
  • SUD treatment records: Records held by a federally assisted SUD treatment program are governed by 42 CFR Part 2, and a HIPAA authorization is legally insufficient for those records. The note explains when this form may be used (non-Part 2 providers) and when a separate Part 2-compliant consent form under 42 CFR 2.31 is required instead.

Who Uses This Form

Designed for HIPAA covered entities including medical practices, clinics, hospitals, health systems, behavioral health providers, and other healthcare providers that obtain patient authorization before using or disclosing PHI. Also suitable for covered entity health plans and healthcare clearinghouses. The sensitive-category checkboxes and guidance notes make this form particularly useful for integrated care settings, behavioral health organizations, and any provider whose patients regularly need to authorize disclosure of mental health, HIV-related, or substance use disorder records.

Regulatory Basis

The HIPAA Privacy Rule at 45 CFR §164.508 establishes when a valid written authorization is required and specifies all elements and statements every authorization must contain. This template is structured to include:

  • All six core elements under 45 CFR §164.508(c)(1)
  • All three required statements under 45 CFR §164.508(c)(2), including the complete revocation statement with both exceptions enumerated at 45 CFR §164.508(b)(5)
  • The copy-to-individual requirement under 45 CFR §164.508(c)(4)

State law may impose additional requirements, particularly for mental health, HIV/AIDS, and substance use disorder records. The sensitive-category guidance notes address these intersections. Review with your privacy officer or legal counsel before finalizing.

Delivery: Microsoft Word (.docx). Download immediately after purchase. Fully editable. Add your organization name, contact information, and document identifiers and the form is ready to use.

Related products