What is a HIPAA Authorization? A Guide for Families Making Healthcare Decisions

“I have power of attorney for my mom, so why won’t the hospital share her medical records with me?”

“Dad signed a healthcare surrogate form. Doesn’t that let me get his test results?”

“The nursing home is asking me to sign something called a HIPAA authorization. What is that?”

If you’re helping an elderly parent with healthcare decisions, you’ve probably run into confusion about HIPAA and when you can—and can’t—access their medical information.

What is a HIPAA Authorization?

A HIPAA authorization is a detailed, written document that allows healthcare providers, health plans, and other covered entities to use or disclose someone’s protected health information (PHI) in situations not otherwise permitted by federal privacy law.

Think of it as a permission slip—but much more specific and legally binding.

Under the HIPAA Privacy Rule, healthcare providers can share medical information for treatment, payment, and healthcare operations without special permission. They can also share information with certain government agencies for public health purposes.

But if they want to share your medical information for other purposes—like marketing, research, or disclosing it to someone who doesn’t have a legal right to it—they need your written HIPAA authorization.

Key point: A HIPAA authorization is not the same as the general consent forms you sign at the doctor’s office. Those routine forms acknowledge you received privacy notices. An authorization is a specific, detailed permission for a particular use or disclosure of your medical information.

When Is a HIPAA Authorization Required?

Healthcare providers and health plans must obtain a signed HIPAA authorization before they can:

Use or disclose your information for purposes not permitted by HIPAA.

This includes sharing your medical records with family members who aren’t your healthcare decision-makers, employers (in most cases), or others who don’t have a legal right to access your information.

Use your information for marketing purposes.

If a pharmaceutical company wants to send you information about their medications, or if your health plan wants to promote certain services, they generally need your authorization. (Face-to-face marketing and promotional gifts of minimal value are exceptions.)

Disclose psychotherapy notes.

These detailed notes from mental health counseling sessions have extra protection. Even uses that don’t require authorization for other medical records—like treatment and payment—require authorization for psychotherapy notes.

Share substance abuse treatment records.

Information about drug or alcohol treatment has additional federal protections beyond HIPAA. Authorization is almost always required to disclose this information.

Use your information for research purposes.

Medical researchers need either your authorization or approval from a special review board to use your identifiable health information.

Sell your protected health information.

If a covered entity receives payment in exchange for your PHI, they must obtain your authorization (with limited exceptions).

What Must Be Included in a HIPAA Authorization Form?

HIPAA is very specific about what an authorization form must contain. The document must be written in plain language and include:

A description of the information being shared.

This needs to be specific. “All medical records” or “records related to diabetes treatment from January 2024 to present” are both acceptable descriptions, depending on what’s actually being disclosed.

Who is authorized to disclose the information.

Usually this is your doctor, hospital, or health plan.

Who will receive the information.

This could be a specific person (“my daughter, Jennifer Smith”), a category of people (“my immediate family members”), or an organization (“ABC Research Institute”).

The purpose of the disclosure.

Why is this information being shared? Examples include “at my request,” “for continuing care,” or “for participation in clinical trial.”

An expiration date or event.

The authorization must specify when it expires. This could be a specific date (“December 31, 2026”), an event (“upon completion of treatment”), or in some cases “none” (for research databases).

Your signature and date.

If someone else is signing on your behalf (like an agent under a power of attorney), the form must explain their authority to sign.

The form must also include important notices about:

• Your right to revoke the authorization in writing
• Whether treatment can be conditioned on signing the authorization
• The potential for re-disclosure (once information is shared, it may no longer be protected by HIPAA)

Critical requirement: You must receive a copy of the signed authorization for your records.

HIPAA Authorization vs. Consent: What’s the Difference?

This confusion trips up many families.

Consent is the general permission you give (often verbally) for routine healthcare activities. For example:

• Including your name in the hospital directory
• Notifying family members that you’ve been admitted
• Leaving a voicemail about appointment times

Consent can often be verbal and is less formal.

Authorization is a specific, written permission for uses or disclosures that aren’t covered by routine healthcare operations. Authorization is more formal, more detailed, and must be in writing.

HIPAA Authorization and Healthcare Powers of Attorney

Here’s something important that many families miss: A healthcare power of attorney (or healthcare surrogate designation in Florida) is not the same as a HIPAA authorization.

A healthcare power of attorney allows someone to make medical decisions for you when you cannot. A HIPAA authorization allows someone to receive your medical information.

Best practice: When you establish a healthcare power of attorney, also sign a HIPAA authorization that specifically names your healthcare agent. This ensures they can access your medical information both to make decisions and to stay informed about your condition.

At Berg Bryant Elder Law Group, we include carefully drafted HIPAA authorizations as part of comprehensive healthcare advance directive packages.

Can You Revoke a HIPAA Authorization?

Yes. One of your rights under HIPAA is the ability to revoke an authorization at any time.

The revocation must be in writing. Simply telling your doctor verbally that you’ve changed your mind isn’t sufficient.

Important limitation: Your revocation doesn’t undo disclosures that already happened. If you authorized your health plan to share information with a research study, then revoked the authorization, the researchers can continue using information they already received.

Practical Tips for Families Dealing with HIPAA Authorization

Plan ahead. Don’t wait until there’s a medical crisis to think about HIPAA authorizations. Include them in your estate planning and healthcare advance directives.

Be specific. If you’re signing an authorization, make sure you understand exactly what information will be shared and with whom.

Keep copies. You’re entitled to a copy of every authorization you sign. Keep them with your other important medical documents.

Update regularly. If circumstances change—you switch doctors, your designated healthcare agent changes, or your medical conditions evolve—review and update your authorizations.

Understand your power of attorney. If you have healthcare power of attorney for a parent, make sure it specifically addresses access to medical records. Not all forms include this language.

Communicate with providers. If you’re having trouble getting medical information you believe you’re entitled to, speak with the provider’s privacy officer or patient advocate.

HIPAA Authorization in the Context of Elder Law

For Northeast Florida families dealing with aging parents, HIPAA authorization becomes particularly important in several situations:

Medicaid applications.

Applying for nursing home Medicaid requires extensive documentation, including medical records. Having proper HIPAA authorizations in place makes this process much smoother.

Care coordination.

When multiple family members are involved in a parent’s care, HIPAA authorizations help ensure everyone who needs information can get it.

Facility admissions.

Moving into assisted living, memory care, or a nursing home requires transferring medical information. Proper authorizations prevent delays.

Emergency situations.

In a medical emergency, having authorizations already in place means doctors can quickly share information with family members who need to make decisions.

Estate settlement.

After someone passes away, their personal representative may need medical records to settle estate matters, file claims, or address outstanding bills.

Protecting Your Healthcare Privacy While Ensuring Family Can Help

Understanding HIPAA authorization helps you balance two important goals: protecting your medical privacy and ensuring your family can help you when needed.

The key is thoughtful advance planning that includes:

• Healthcare powers of attorney or healthcare surrogate designations
• Specific HIPAA authorizations for trusted family members
• Clear communication with your healthcare providers about who can access your information
• Regular review and updates as circumstances change

At Berg Bryant Elder Law Group, we help Florida families create comprehensive healthcare planning documents that work together to protect both privacy and ensure family members can provide the care and support their loved ones need.

Get Your Healthcare Documents in Order

Don’t let HIPAA confusion prevent your family from getting the medical information they need to care for you.

Contact us today to discuss healthcare powers of attorney, HIPAA authorizations, and other advance directives that protect your interests while empowering the people you trust.

This article is for informational purposes only and does not constitute legal or medical advice. HIPAA rules are complex, and every situation is unique. Consult with healthcare privacy experts and legal professionals for guidance on your specific circumstances.