HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
(Comprehensive—Federal HIPAA‐Compliant)
[// GUIDANCE: This template is drafted to satisfy the core content requirements of 45 C.F.R. § 164.508(c) while incorporating sophisticated contractual provisions requested by the client. Bracketed placeholders must be customized before use. Omit any provisions that are unnecessary for the specific transaction.]
TABLE OF CONTENTS
- Document Header
- Definitions
- Operative Provisions
- Representations & Warranties
- Covenants & Restrictions
- Default & Remedies
- Risk Allocation
- Dispute Resolution
- General Provisions
- Execution Block
1. DOCUMENT HEADER
HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
Effective Date: [MM/DD/YYYY]
This HIPAA Authorization (“Authorization”) is made by and between:
a. Individual/Patient: [Full Legal Name] (“Individual”);
b. Covered Entity: [Health-Care Provider / Plan / Clearinghouse Legal Name] (“Covered Entity” or “CE”); and
c. Recipient(s): [Name(s) or Specific Identification of Recipient(s)] (“Recipient”).
Recitals
A. CE maintains certain “Protected Health Information” (“PHI”) pertaining to Individual that is subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, 45 C.F.R. Parts 160 & 164 (“HIPAA”).
B. Individual desires to authorize the Use and Disclosure of PHI as described herein, for the purpose(s) set forth below, subject to the terms and conditions of this Authorization.
C. CE is willing to Use and Disclose PHI in reliance on this Authorization, and Recipient is willing to receive such PHI, all subject to HIPAA and the additional covenants, limitations, and remedies provided below.
NOW, THEREFORE, in consideration of the mutual promises and agreements contained herein, the Parties agree as follows:
2. DEFINITIONS
For ease of reference, capitalized terms shall have the meanings assigned below, applied consistently throughout this Authorization.
“Authorization” – This HIPAA authorization form, including all appendices and amendments.
“Covered Entity” or “CE” – The health-care provider, health plan, or health-care clearinghouse identified in the Document Header that is subject to HIPAA.
“Disclose” or “Disclosure” – The release, transfer, provision of access to, or divulging in any other manner of PHI outside CE, as those terms are used in 45 C.F.R. § 160.103.
“HIPAA” – The Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and its implementing regulations at 45 C.F.R. Parts 160 & 164.
“Individual” – The subject of the PHI and signatory hereto, as that term is used in 45 C.F.R. § 160.103.
“PHI” – Protected Health Information, including [describe categories, e.g., “laboratory test results dated 1 January 20XX – 31 December 20XX, diagnostic imaging, physician progress notes, and discharge summaries”].
“Recipient” – The person(s) or entity(ies) authorized to receive the PHI, as set forth in Section 3.1(b).
“Use” – The sharing, employment, application, utilization, examination, or analysis of PHI within CE, as those terms are used in 45 C.F.R. § 160.103.
[// GUIDANCE: Add additional defined terms as needed for specialized transactions.]
3. OPERATIVE PROVISIONS
3.1 Grant of Authorization.
a. Authorized PHI. CE is hereby authorized to Use and Disclose the PHI specifically described in the definition of “PHI” above.
b. Authorized Recipient(s). Disclosure may be made to: [Recipient Name/Title/Address].
c. Purpose(s). PHI may be Used or Disclosed solely for the following purpose(s): [e.g., “continuity of care,” “insurance underwriting,” “legal proceeding in Case No. _,” “research study titled _,” or “at the request of the Individual”].
d. Expiration. This Authorization shall expire on the earliest to occur of:
(i) [MM/DD/YYYY],
(ii) the completion of the purpose(s) stated in 3.1(c), or
(iii) revocation pursuant to Section 3.2.
3.2 Right of Revocation.
Individual may revoke this Authorization at any time by delivering written notice to CE at [Designated Address or HIPAA Privacy Office]. Revocation shall be effective upon receipt, except to the extent CE or Recipient has already acted in reliance on this Authorization.
3.3 Re-Disclosure Warning.
Information disclosed under this Authorization may be subject to re-disclosure by Recipient and may no longer be protected by HIPAA. CE shall have no responsibility for any such re-disclosure not under its control.
3.4 Conditions for Treatment and Payment.
Except for research-related treatment or enrollment in a health plan, CE may not condition treatment, payment, enrollment, or eligibility for benefits on the execution of this Authorization.
3.5 Special Categories of PHI.
a. Psychotherapy Notes (45 C.F.R. § 164.508(a)(2)): If checked ☐, CE is authorized to Disclose psychotherapy notes.
b. Substance Use Disorder Records: Any records subject to 42 C.F.R. Part 2 shall not be Disclosed unless the additional requirements of Part 2 are satisfied.
c. Genetic Information: Genetic test results may only be disclosed if consistent with the Genetic Information Nondiscrimination Act (“GINA”) and applicable state law.
3.6 Compensation.
No Party shall receive remuneration for the Use or Disclosure of PHI except as permitted under HIPAA.
3.7 Consideration.
The Parties acknowledge the mutual promises herein as sufficient consideration for this Authorization.
4. REPRESENTATIONS & WARRANTIES
4.1 Individual’s Representations.
a. Individual is of legal age and has full legal capacity, or is the personal representative duly authorized under applicable law to sign this Authorization.
b. The information provided herein is accurate and complete to the best of Individual’s knowledge.
4.2 CE’s Representations.
a. CE will Use and Disclose PHI only as permitted by this Authorization and applicable law.
b. CE maintains administrative, physical, and technical safeguards required by HIPAA.
4.3 Recipient’s Representations.
Recipient shall maintain the confidentiality of PHI in accordance with all applicable laws and this Authorization, and shall not Use or Disclose PHI except as expressly permitted herein.
4.4 Survival.
The representations and warranties in this Section survive the expiration or termination of this Authorization to the extent necessary to protect PHI and enforce the Parties’ rights.
5. COVENANTS & RESTRICTIONS
5.1 Recipient Covenant.
Recipient shall implement reasonable safeguards to prevent unauthorized Use or Disclosure of PHI and shall immediately notify CE and Individual of any breach or suspected breach.
5.2 Compliance Monitoring.
Recipient shall provide, upon reasonable written request, evidence satisfactory to CE of compliance with this Authorization.
5.3 Prohibited Actions.
Recipient shall not:
a. Sell PHI;
b. Use PHI for marketing without separate written authorization; or
c. Combine PHI with other data in a manner that violates HIPAA.
6. DEFAULT & REMEDIES
6.1 Events of Default.
a. Material breach of any provision of Sections 3–5;
b. Failure to comply with any applicable law regarding PHI;
c. Written notice of breach delivered by a governmental authority.
6.2 Notice & Cure.
Upon an Event of Default, the non-breaching Party shall give written notice specifying the default. The breaching Party shall have [30] days from receipt to cure, if curable.
6.3 Remedies.
a. Termination of this Authorization, in whole or in part;
b. Limited Injunctive Relief to prevent imminent or continuing unauthorized Disclosure of PHI;
c. Recovery of Direct Damages subject to statutory limits (see Section 7.2).
d. Attorney Fees. The prevailing Party is entitled to reasonable attorney fees and costs incurred in enforcing this Authorization.
7. RISK ALLOCATION
7.1 Indemnification (Authorization Scope).
Recipient shall indemnify, defend, and hold harmless CE and its affiliates from and against any third-party claims, losses, or liabilities directly arising out of Recipient’s Use or Disclosure of PHI in violation of this Authorization or applicable law.
7.2 Limitation of Liability.
To the fullest extent permitted by law, the aggregate liability of any Party under this Authorization shall not exceed the statutory damages or penalties expressly authorized by HIPAA, 42 U.S.C. § 1320d-5, and related regulations. In no event shall any Party be liable for incidental, consequential, or punitive damages.
7.3 Insurance.
[Optional] Recipient shall maintain cyber/privacy liability insurance with limits of not less than $[1,000,000] per claim.
7.4 Force Majeure.
No Party shall be liable for delay or failure to perform due to events beyond reasonable control, including acts of God, war, terrorism, or governmental action, provided the affected Party gives prompt notice and resumes performance as soon as practicable.
8. DISPUTE RESOLUTION
8.1 Governing Law.
This Authorization and any dispute arising hereunder shall be governed by and construed in accordance with federal HIPAA and, to the extent not pre-empted, the laws of the United States.
8.2 Forum Selection.
The Parties consent to exclusive jurisdiction and venue in the United States District Court for the [District].
8.3 Optional Arbitration.
By mutual written election after a dispute arises, the Parties may submit the matter to binding arbitration administered by the American Arbitration Association under its Healthcare Payor Provider Rules.
8.4 Jury Trial.
Nothing in this Section shall be construed to waive any Party’s constitutional right to a jury trial.
8.5 Equitable Relief.
Any equitable relief awarded shall be limited to the minimum scope necessary to protect PHI consistent with Section 6.3(b).
9. GENERAL PROVISIONS
9.1 Amendment & Waiver.
Any amendment to this Authorization must be in writing and signed by all Parties. No waiver of any provision shall be deemed a continuing waiver unless expressly stated.
9.2 Assignment.
No Party may assign or delegate its rights or obligations under this Authorization without prior written consent of the other Parties, except that CE may assign to a successor in interest upon merger or acquisition.
9.3 Severability.
If any provision is held invalid or unenforceable, it shall be reformed to the minimum extent necessary, and the remaining provisions shall continue in full force.
9.4 Integration.
This Authorization constitutes the entire agreement among the Parties concerning the subject matter and supersedes all prior understandings.
9.5 Counterparts & Electronic Signatures.
This Authorization may be executed in counterparts, each of which is deemed an original. Electronic signatures are deemed equivalent to handwritten signatures for all purposes.
10. EXECUTION BLOCK
IN WITNESS WHEREOF, the Parties have executed this Authorization as of the Effective Date.
Individual / Patient
Signature: _____
Printed Name: _____
Date: ____
If signing as Personal Representative:
Authority/Relationship: ___
Covered Entity
By: ____ Title: ___
Printed Name: ____
Date: ____
Recipient
By: ____ Title: ___
Printed Name: ____
Date: ____
[Notary acknowledgment, witness signatures, or additional state-specific formalities may be inserted here if required.]
[// GUIDANCE:
1. Verify that the “Authorized PHI,” “Purpose,” and “Expiration” are described with sufficient specificity to satisfy 45 C.F.R. § 164.508(c)(1).
2. Remove or tailor Sections 6–8 if the transaction risk profile does not warrant them.
3. Confirm that any state privacy laws (e.g., California CMIA, 42 C.F.R. Part 2) are satisfied when the PHI includes special categories of information.
4. Maintain a signed copy for at least six (6) years from the date of creation or last effective date, as required by 45 C.F.R. § 164.530(j).]