HIPAA AUTHORIZATION FOR USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION

[// GUIDANCE: Replace bracketed placeholders with client-specific information. Remove GUIDANCE comments before final execution.]

TABLE OF CONTENTS

1. Document Header
2. Definitions
3. Operative Provisions
4. Representations & Warranties
5. Covenants & Restrictions
6. Default & Remedies
7. Risk Allocation
8. Dispute Resolution
9. General Provisions
10. Execution Block

1. DOCUMENT HEADER

1.1 Title
 HIPAA Authorization for Use or Disclosure of Protected Health Information (the “Authorization”).

1.2 Parties
 This Authorization is made by and between:
 (a) Patient: [PATIENT LEGAL NAME], residing at [PATIENT ADDRESS] (“Patient”); and
 (b) Recipient: [RECIPIENT NAME AND ADDRESS] (“Recipient”).
  [// GUIDANCE: “Recipient” may be an individual, health-care provider, insurer, attorney, or other party.]

1.3 Covered Entity / Disclosing Party
 [DISCLOSING PROVIDER / FACILITY NAME, ADDRESS] (the “Covered Entity”).

1.4 Effective Date
 This Authorization is effective as of [EFFECTIVE DATE] (the “Effective Date”).

1.5 Governing Law
 This Authorization is governed exclusively by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations at 45 C.F.R. Parts 160 & 164.

2. DEFINITIONS

For purposes of this Authorization, the following terms have the meanings set forth below:

2.1 “Authorization” has the meaning assigned in 45 C.F.R. § 164.508 and refers to this written permission for use or disclosure of Protected Health Information.

2.2 “Business Associate” means any third party that performs services involving the use or disclosure of PHI for or on behalf of a Covered Entity, as defined in 45 C.F.R. § 160.103.

2.3 “Covered Entity” means a health plan, health-care clearinghouse, or a health-care provider that transmits health information in electronic form, as defined in 45 C.F.R. § 160.103.

2.4 “Expiration Date” has the meaning ascribed in Section 3.5.

2.5 “Protected Health Information” or “PHI” means individually identifiable health information maintained or transmitted in any medium, as defined in 45 C.F.R. § 160.103.

2.6 “Recipient” has the meaning assigned in Section 1.2(b).

3. OPERATIVE PROVISIONS

3.1 Grant of Authorization.
 Patient hereby authorizes the Covered Entity (and any of its Business Associates) to disclose the PHI described in Section 3.2 to the Recipient for the purpose stated in Section 3.3, subject to the terms and conditions of this Authorization.

3.2 Scope of PHI Subject to Disclosure.
 (a) [CHECK ONE]
  ☐ All PHI in the Patient’s designated record set;
  ☐ Only the following specific records: [DESCRIBE SPECIFIC RECORDS, DATES OF SERVICE, OR TYPES OF REPORTS];
 (b) Exclusions (if any): [LIST EXCLUDED RECORDS, e.g., psychotherapy notes].

3.3 Purpose of Disclosure.
 [DESCRIBE PURPOSE — e.g., “continuity of care,” “claims adjudication,” “legal representation,” or “at the request of the Patient.”]

3.4 Method of Disclosure.
 PHI may be disclosed in any legally permissible form, including paper, electronic, facsimile, encrypted email, or secure web portal, unless Patient restricts as follows: [INSERT RESTRICTIONS OR “N/A”].

3.5 Expiration.
 This Authorization shall expire on the earliest to occur of:
 (a) [EXPIRATION DATE OR EVENT]; or
 (b) Two (2) years after the Effective Date, if no date or event is specified.
 (The “Expiration Date”).

3.6 Right to Revoke.
 Patient may revoke this Authorization at any time before the Expiration Date by delivering written notice to the Covered Entity’s Privacy Officer at the address set forth above. Revocation will not affect any disclosure made in reliance on this Authorization before the Covered Entity receives the revocation.

3.7 Redisclosure Warning.
 PHI disclosed under this Authorization may be subject to redisclosure by the Recipient and may no longer be protected by HIPAA.

3.8 No Conditioning of Treatment.
 Covered Entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether Patient signs this Authorization, except as permitted by 45 C.F.R. § 164.508(b)(4).

3.9 Consideration.
 The adequacy of Patient’s consent constitutes sufficient consideration for this Authorization. No monetary consideration is exchanged.

4. REPRESENTATIONS & WARRANTIES

4.1 Patient Representations.
 (a) Patient is at least 18 years of age or an emancipated minor, or otherwise has legal capacity to execute this Authorization.
 (b) All information supplied by Patient in connection with this Authorization is true, correct, and complete.

4.2 Covered Entity Representations.
 The Covered Entity will, in good-faith reliance on this Authorization, disclose only the PHI expressly authorized herein.

4.3 Recipient Representations.
 Recipient will use the PHI solely for the purpose stated in Section 3.3 and will implement commercially reasonable safeguards to protect the confidentiality of such PHI.

4.4 Survival.
 Sections 4, 6, 7, 8, and 9 survive expiration or revocation of this Authorization to the extent necessary to enforce their terms.

5. COVENANTS & RESTRICTIONS

5.1 Patient Covenants.
 Patient agrees to promptly notify the Covered Entity in writing of any revocation or modification of this Authorization.

5.2 Covered Entity Covenants.
 Covered Entity shall:
 (a) Make disclosures only in accordance with this Authorization and HIPAA; and
 (b) Document the disclosure as required under 45 C.F.R. § 164.528.

5.3 Recipient Covenants.
 Recipient shall not further use or disclose PHI except as permitted by this Authorization or as required by law.

6. DEFAULT & REMEDIES

6.1 Events of Default.
 Any use or disclosure of PHI by Recipient beyond the scope authorized herein, or any breach of Section 5, constitutes a default.

6.2 Cure Period.
 Upon written notice of default, Recipient shall have five (5) business days to cure the breach to the Covered Entity’s reasonable satisfaction.

6.3 Remedies.
 (a) Specific Performance and Injunctive Relief. In addition to any other remedy available at law or equity, the parties acknowledge that unauthorized disclosure of PHI may cause irreparable harm, entitling the non-breaching party to seek injunctive relief without posting bond.
 (b) Recovery of Costs. The prevailing party in any action to enforce this Authorization is entitled to recover reasonable attorneys’ fees and costs.

7. RISK ALLOCATION

7.1 Indemnification.
 Recipient shall indemnify, defend, and hold harmless the Covered Entity and Patient from and against any and all third-party claims, losses, liabilities, damages, and expenses (including reasonable attorneys’ fees) arising out of or related to Recipient’s unauthorized use or disclosure of PHI, except to the extent caused by the gross negligence or willful misconduct of the indemnitee.

7.2 Limitation of Liability.
 Nothing in this Section 7 shall limit liability for breaches of HIPAA or for violations of applicable law that cannot be disclaimed under public policy.

7.3 Insurance.
 [OPTIONAL] Recipient shall maintain, at its own expense, cyber/privacy liability coverage with limits of not less than [COVERAGE AMOUNT] per claim.
 [// GUIDANCE: Delete or modify if not relevant.]

7.4 Force Majeure.
 No party shall be liable for delay or failure to perform caused by events beyond its reasonable control, provided that such party gives prompt written notice and uses diligent efforts to resume performance.

8. DISPUTE RESOLUTION

8.1 Governing Law.
 This Authorization and any dispute arising hereunder are governed exclusively by federal law, including HIPAA and the regulations promulgated thereunder.

8.2 Forum.
 [NOT APPLICABLE – Silent per user instruction.]

8.3 Arbitration; Jury Waiver.
 [NOT APPLICABLE – Silent per user instruction.]

8.4 Injunctive Relief.
 Nothing in this Section 8 restricts the right of a party to seek injunctive or other equitable relief in a court of competent jurisdiction.

9. GENERAL PROVISIONS

9.1 Amendments and Waivers.
 No amendment or waiver of any provision of this Authorization is effective unless in writing and signed by the Patient. A waiver on one occasion is not a waiver on any subsequent occasion.

9.2 Assignment.
 Patient may not assign or delegate any rights or obligations hereunder without the prior written consent of the Covered Entity. Covered Entity may assign its rights to a successor entity.

9.3 Successors and Assigns.
 This Authorization is binding upon and inures to the benefit of the parties and their respective heirs, legal representatives, successors, and permitted assigns.

9.4 Severability.
 If any provision of this Authorization is held invalid or unenforceable, the remaining provisions remain in full force, and the invalid provision shall be reformed to the minimum extent necessary to make it valid and enforceable.

9.5 Entire Agreement.
 This Authorization constitutes the entire agreement between the parties concerning the subject matter and supersedes all prior or contemporaneous communications.

9.6 Counterparts; Electronic Signatures.
 This Authorization may be executed in one or more counterparts, each of which is deemed an original, and all of which together constitute one instrument. Signatures delivered by facsimile, PDF, or compliant electronic signature platform are effective for all purposes.

10. EXECUTION BLOCK

IN WITNESS WHEREOF, the Patient has executed this Authorization as of the Effective Date.

Patient:

Signature: ______
Printed Name: [PATIENT NAME]
Date: __________

Legal Representative (if applicable):

Signature: ______
Printed Name & Authority: [REPRESENTATIVE NAME & LEGAL AUTHORITY]
Date: __________
[// GUIDANCE: Attach proof of authority (e.g., power of attorney, guardianship order).]

Covered Entity Acknowledgment (Optional):

Authorized Representative Signature
Printed Name & Title: ____
Date: ________

Notary Acknowledgment (Optional / State-Specific):
[INSERT APPROPRIATE NOTARIAL CERTIFICATE IF REQUIRED BY STATE LAW]

[// GUIDANCE:
1. Retain a copy of the signed Authorization for at least six (6) years, per 45 C.F.R. § 164.530(j).
2. Verify identity of signatory and, where applicable, authority of personal representative.
3. If the Authorization permits marketing or sale of PHI, additional statements must be inserted under Section 3.3 as required by 45 C.F.R. § 164.508(a)(3)–(4).
4. Remove optional provisions if not applicable to the client’s use case.]