CMA: Authorization

Disclaimer:  CMA/PrivaPlan PrivaGuide: Authorization.


The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns. 



PrivaGuide: Authorization

By Lesley Berkeyheiser and David Ginsberg




HIPAA requires that covered entities obtain an authorization for PHI uses and disclosures that are not included in one of the following categories:

  • To carry out treatment, payment or health care operations (as described in the notice of privacy practices),
  • Facility directory listings or disclosures to family members or others involved in the health care of the patient,
  • One of the two “mandatory” disclosures, (HIPAA requires disclosure of PHI to the subject individual when requested, and to the Department of Health and Human Services when they are conducting a compliance review or investigating a HIPAA Privacy complaint.  Note:  Other federal or state laws may specify additional mandatory disclosures, but these are the only two required by HIPAA.),
  • One of several “public purpose” disclosures—for example, disclosures required by law or for health oversight purposes,
  • Disclosures to a business associate.

Basically, if the HIPAA privacy rule or state law does not contain something that expressly allows a use or disclosure of PHI, then it cannot be done without the authorization of the subject individual (i.e. the “patient” or “plan member”).


How to do this:


In this section we document some practical suggestions for dealing with authorizations.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.




Implementation Suggestions:

    1. Begin by reviewing the PHI Inventories you created in PrivaPlan Statstep 2. The PHI inventory is the most important step in your HIPAA Privacy and Security Compliance program. The inventory helps your organization know the “who,” “what,” and “where” of Protected Health Information. The inventory forms identify:
      • Every item of PHI in your organization.
      • Who uses the item (and for what purpose).
      • How the item is disclosed, for what purpose, by whom and to whom.

      Which uses and disclosures require authorization?

      Another way to determine common uses and disclosures of PHI that require an authorization is to ask yourself if your organization “sells” data to any third party. For example do you provide pre-employment physicals to employers? Or do you provide screening tests to a third party for compensation? Other examples include clinical research or promoting a new product and marketing of the practice to patients.


    1. Review the PHI use and disclosure inventory form under Document Templates and the ePHI Use and Disclosure Inventory form on this disc. On these forms you should have indicated the “purpose” of the use or disclosure.  If the purposes have not been recorded, you must do so before proceeding.  Here are some examples of use and disclosure purposes:
      • Treatment
      • Payment
      • Health Care Operations
      • Inspection Requests
      • Facility Directory Listings
      • Communication with People Involved in the Patient’s Care
      • Disclosures Required by Law
      • Cooperation with Public Health Authorities
      • Cooperation with Health Oversight Agencies
      • Judicial and Administrative Proceedings
      • Cooperation with Law Enforcement
      • Cooperation with Medical Examiners and Funeral Directors
      • Organ Donation Activities
      • Research
      • Public Safety
      • Specialized Government Functions
      • Workman’s Compensation
      • Marketing
      • Fundraising
      • Underwriting
      • Change of Ownership
      • Participation in Compliance Reviews
      • Commercial Sale
    2. Use the PHI Inventory form mentioned above to determine which items require “authorization.” In the introduction to this PrivaGuide we listed the five categories of uses and disclosures for which authorization is not required.  If you compare these categories with the list of purposes in step 2 above, you will see that most items do not require an authorization.  However, an authorization is required when PHI is “sold” (as is the case with pre-employment physicals) or when PHI is used for other profit-making purposes (such as marketing, some fundraising or underwriting). More information and guidance is available in the PrivaGuide about doing a PHI Inventory.


    1. Create a new list of those items that require authorization. This is a list you will reference frequently whenever you suspect that an authorization is required.


    1. Once you have created the list of protected health information items that require an authorization, create a way to indicate this need on the PHI itself. For example, if a pre-employment physical “form” requires authorization, you could always stamp or label the blank forms “authorization required.” This is another reminder to ensure an authorization is obtained.


      California law and HIPAA require authorizations for marketing

      HIPAA and California law both define marketing as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”


      In most cases whenever you receive any direct or indirect compensation (remuneration) for these communications from a third party, you must obtain a written authorization from each patient prior to making these communications.


      HIPAA exempts “face-to-face” communications or promotional gifts of nominal value from requiring an authorization. However, California law is more strict and requires an authorization if there is remuneration for this communication!You must disclose on the authorization form the remuneration received and a way for your patient to request that you stop such communications!


    1. If you use an electronic medical record (EMR) system, determine if there is a way to “mark” those record types that require authorization (you may need to ask your software vendor if this feature is available).


  1. Determine when you can condition treatment on obtaining an authorization. In general, you may not refuse to treat a patient because they are unwilling to sign an authorization form. Under a few special circumstances, you may decide to refuse to treat a patient who refuses to sign an authorization form. (What HIPAA calls “conditioning treatment.”)


    These are:

    • Clinical Research. If the patient does not agree to an authorization to participate in a research trial (generally the patient also signs an informed consent form) you can refuse treatment. In this case you can deny their participation in the research trial and refuse to provide “research related treatment.”
    • If the treatment or care is solely for the purpose of creating information for another party. For example, if you contract with a company to provide pre-employment physicals. If the patient refuses to sign the authorization, you can refuse to perform the physical exam.
    • Health plan evaluations. If your patient refuses to authorize disclosures, you can refuse to perform the health insurance application evaluation.
  2. Review the authorization template under Document Templates. Begin with the basic customization of the authorization form.  Read the legal disclaimer and customization instructions at the beginning of the document and then delete them.  (This information is for your use in customizing the document; it is not to be read by your patients.)  Replace any text in brackets (for example, “[organization name]”) with text that is appropriate to your organization.  Complete any formatting (such as the inclusion of company logos) that is necessary to make this document conform to the documentation standards of your organization.


    Purpose determines the form of permission needed.


    There are three types of patient permission:

    1. NONE – No permission is needed for “public purpose” uses and disclosures or for disclosures to the subject individual himself or herself.
    2. VERBAL AGREEMENT – If you want to list a patient in a hospital directory or to have his or her condition discussed with family and friends, you must obtain permission. Verbal permission would work in either of these scenarios.
    3. AUTHORIZATION – A signed authorization is required for any commercial purpose, such as marketing, fundraising or sending pre-employment physical results to a prospective employer.
    4. Review special notes. Review every section of the template document that is enclosed in square brackets and written in a bold font (i.e. “[Note: …]”).  These are notes that may change how you customize your authorization forms.  Delete these notes once you have read them and taken the appropriate action.
    5. Be careful not to delete any mandatory content. HIPAA requires that certain elements be present in an authorization form.  These elements are:
      • A description of the information to be used or disclosed.
      • Who will use or disclose the information.
      • To whom the disclosure will be made (if applicable).
      • A description of each purpose of the requested use or disclosure.
      • An expiration date or expiration event.
      • Effect of refusal to sign the authorization.
      • A statement of the subject individual’s right to revoke the authorization.
      • A statement that the information may be re-disclosed and no longer protected by HIPAA (although it remains protected by California law).
      • Signature and date.
      • Authority of personal representative (if applicable).
      • If marketing is involved, and it results in direct or indirect remuneration to the organization, that such remuneration is involved.
      • California state law requires that your authorization be printed in 14 point type print or larger.  We have already provided a 14 point Authorization for you to use.  Please do not reduce the font size.

      Provide initial staff training and awareness. Review the list you created in step 2 above with all staff including the providers. Stress how important it is that an authorization is obtained for these uses and disclosures.


      Please note there are special California considerations for psychotherapy notes:


      Generally, these are not to be disclosed without patient authorization (a written authorization form) except as follows:

      • use by the physician who created the psychotherapy notes for treatment;
      • use or disclosure by the physician for the physician’s own training programs;
      • use or disclosure by the physician to defend against a legal action or other proceeding brought by the patient;
      • use or disclosure to the Secretary of DHHS in conjunction with HIPAA enforcement;
      • use or disclosure required by law;
      • use or disclosure for health oversight activities concerning the physician who created the notes;
      • use or disclosure to the coroner or medical examiner; or
      • use or disclosure as necessary to comply with the physician’s obligations to make Tarasoff warnings.

      Moreover, to the extent these involve outpatient psychotherapy notes, you should require a formal written request by the requestor in compliance with California law except with respect to disclosures for diagnosis or treatment, for health oversight activities or for disclosures required by law.


    Maintenance Suggestions:

    1. Keep Authorization forms for six years beyond the expiration date or event. The authorization form can be filed in the patient’s chart, or it can be filed in a separate file of “HIPAA Authorizations.”
    2. If the Authorization is to be signed by the patient’s personal representative, determine whether the request should be honored. See the section on handling personal representatives in the “Procedures Manual Template” (\PrivaPlan\Policies and Procedures folder) under the individual Permission Processing Procedure.
    3. Revocation of an Authorization: Patients or their personal representatives have the right to revoke their authorization request. This revocation is documented on the sample authorization form.
    4. Ongoing staff awareness: Routinely review recent authorizations. This way your staff remains alert to the uses/disclosures of PHI and the need for Authorizations.
    5. Periodically evaluate your activities to ensure you are complying with marketing requirements. For example, if you have begun to work with a disease management firm to provide education and information to your patients and you are being compensated for communicating about this service, you may fall be engaged in the definition of marketing. Remember that there are both HIPAA and California laws that govern such marketing, potentially requiring an authorization or at least formal notification. If you are conducting a marketing activity, ensure your procedures are updated and that authorizations are obtained!
    6. Certain “tailored to” communications may not need an authorization but under California law require other notice. California law allows you to make remunerated (compensated) communications to your patients with chronic and seriously debilitating or life threatening conditions that educate or advise them about treatment options or maintaining adherence to their treatment plan without obtaining an authorization. Thus, if a disease management company dealing with your patients who have congestive heart failure pays you to make sure they are complying with their care plan, this does not require an authorization. It does, however, require that you disclose in at least 14-point type the fact that the communication is remunerated, the name of the party remunerating you, and the fact the patient may opt-out of future remunerated communications by calling a toll-free number.  You must stop any further remunerated communications within 30 days of receiving an opt-out request. Remember that this only applies to patients with chronic and serious debilitating or life threatening conditions; for example if you are paid to communicate about a stress reduction program for routine patients you will need an authorization!
    7. The marketing laws are very complex. If you are in doubt obtain assistance from legal counsel or other experts!
    8. Ultimately ensure you are complying with the sample policy statement on marketing (this can be found in the new Privacy Policy Draft under Policies and Procedures. This practice’s marketing policy is:


    It is the policy of this medical practice that any uses or disclosures of protected health information for marketing activities will be done only after a valid authorization is in effect except as permitted by law.  It is the policy of this organization to consider marketing any communication intended to induce the  purchase or use of a product or service where an arrangement exists with a third party for such inducement  in exchange for direct or indirect remuneration,[ or where this organization encourages purchase or use of a product or service directly to patients].  This organization does not consider the communication of alternate forms of treatment, or the use of products and services in treatment, or a face-to-face communication made by us to the patient, or a promotional gift of nominal value given to the patient to be marketing, unless direct or indirect remuneration is received from a third party and the communication is not to a health plan enrollee concerning 1) a provider’s participation in the health plan’s network, 2) the extent of covered benefits, or 3) the availability of more cost-effective pharmaceuticals.  This organization may make remunerated communications tailored to individual patients with chronic and seriously debilitating or life-threatening conditions for the purpose of educating or advising them about treatment options or maintaining adherence to a prescribed course of treatment, without a signed patient authorization.  If we do so, we will disclose in at least 14-point type the fact that the communication is remunerated, the name of the party remunerating us, and the fact the patient may opt-out of future remunerated communications by calling a toll-free number.  This organization will stop any further remunerated communications within 30 days of receiving an opt-out request. 


    How do you know if you are “marketing”?

    Ask yourself three questions:

    1. Are you encouraging your patients to purchase or use a product or service?  If not, you do not market.


    2. If you answered yes to Question 1, does a third party pay you, directly or indirectly, to make that communication?  If so, you must get your patients’ written authorization unless your only “marketing” communications are either: a) to current health plan enrollees concerning their benefits, provider network or the availability of more cost-effective pharmaceuticals, or 2) to individuals with chronic and seriously debilitating or life-threatening conditions concerning their treatment plan and options.  Chronically ill individuals are entitled to notice and the right to opt-out of these communications.
    3. If you answered no to Question 2, you still must get your patients’ written authorization unless your only “marketing” communications are:  a) for face-to-face communications by you or an employee of your practice, b) to provide promotional gifts of nominal value to your patients, c) for treatment, d) for case management or care coordination, or e) to describe a health-related product or service your practice provides.

    About the Authors:

    This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine I. Hanson, Vice President and General Counsel of the CMA and Steven M. Fleisher, Esq. of Fleisher and Associates.


    Lesley Berkeyheiser

    Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.


    Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email:


    David Ginsberg


    Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.


    David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

    Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.


    Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:


    PrivaPlan Associates Privacy Policy

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates