Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HHS.gov
  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom

Breadcrumb

  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. 472-Does the Privacy Rule permit a covered entity to use or disclose protected health information
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Health Information Technology (41)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Limited Data Set (6)
  • Marketing (18)
  • Marketing - Refill Reminders (16)
  • Mental Health (35)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Personal Representatives and Minors (12)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to Access and Research (58)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (3)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Telehealth (11)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)

Does the Privacy Rule permit a covered entity to use or disclose protected health information pursuant to an authorization form that was prepared by a third party?

Answer:

Yes. A covered entity is permitted to use or disclose protected health information pursuant to any Authorization that meets the Privacy Rule’s requirements at 45 CFR 164.508. The Privacy Rule requires that an Authorization contain certain core elements and statements, but does not specify who may draft an Authorization (i.e., it could be drafted by any entity) or dictate any particular format for an Authorization. Thus, a covered entity may disclose protected health information as specified in a valid Authorization that has been created by another covered entity or a third party, such as an insurance company or researcher.

Created 9/24/03

Content created by Office for Civil Rights (OCR)
Content last reviewed January 9, 2023
Back to top
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • HHS Archive
  • Accessibility
  • Privacy Policy
  • Viewers & Players
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy

Sign Up for Email Updates

Receive the latest updates from the Secretary, Blogs, and News Releases.

Sign Up
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​