- The covered entity must obtain the individual's authorization, unless the disclosure is otherwise permitted by another provision of the Privacy Rule
- The authorization must meet all requirements in the Privacy Rule to be valid
- Minimum necessary does not apply
The core elements of a valid authorization include:
- A meaningful description of the information to be disclosed
- The name of the individual or the name of the person authorized to make the requested disclosure
- The name or other identification of the recipient of the information
- A description of each purpose of the disclosure (The statement "at the request of the individual" is sufficient when the individual initiates the authorization and does not, or elects not to, provide a statement of the purpose)
- An expiration date or an expiration event that relates to the individual
- A signature of the individual or their personal representative (someone authorized to make health care decisions on behalf of the individual) and the date.
For additional requirements of a valid authorization, refer to the FAQs on authorizations.