Jump to main content


A covered entity must obtain an individual's written authorization to release PHI that is not being used for treatment, payment, or health care operations. An authorization must be written in specific terms and in plain language. The authorization must contain what information will be disclosed, the person or persons receiving the information, an expiration date, right to revoke in writing, and other data.

Authorization to Release Protected Health Information

  • Psychotherapy Notes

    A Hybrid Entity must obtain an individual's written authorization to use or disclose psychotherapy notes except for the following:

    • A covered entity who originated the notes may use them for treatment
    • A covered entity may use or disclose, without a written authorization, the psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity's compliance with the Privacy Rule, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the notes, for the lawful activities of a coroner or medical examiner or as required by law
  • Marketing

    Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service. The Privacy Rule allows:

    • Communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the covered entity making the communication
    • Communications about participating providers in a provider network, replacement of, or enhancements to a health plan, and health-related products or services available only to a health plan's enrollees that add value to, but are not part of, the benefits plan
    • Communication for treatment of the individual
    • Communication for case management or care coordination for the individual, or to direct or recommend alternative treatment, therapies, health care providers or care setting

    Marketing also is an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. A covered entity must obtain an authorization to use or disclose PHI for marketing, except for face-to-face marketing. An authorization for marketing that involves remuneration from a third party, must reveal that fact.

  • Limiting Uses and Disclosures to the Minimum Necessary

    A central aspect of the Privacy Rule is the princilpe of "minimum necessary". This means a covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to acomplish the intended purpose. For more information go to Minimum Necessary.

  • Notice and Other Individual Rights

    Insert Content Here