Telehealth Video & Telephone Best Practices

HIPAA Patient Authorizations


September 22, 2018 | Reading Time: 2 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

HIPAA patient authorizations are an important part of running your behavioral health practice. HIPAA regulation sets specific standards for the use and disclosure of patients’ sensitive health care information, all of which stem from receiving the proper authorizations directly from your patients before the start of care.

Under HIPAA regulation, health care professionals have limitations and restrictions on what, how, when, and with whom patient’s protected health information (PHI) may be shared. PHI is defined as any demographic information that can be used to identify a patient. Common examples of PHI include names, addresses, dates of birth, phone numbers, Social Security numbers, insurance ID numbers, medical records, and full facial photos, to name a few.

Over the course of treatment, behavioral health professionals like yourself will often need to share patient PHI, either with other providers, vendors, health plans, or partners. These are considered “uses and disclosures” under HIPAA regulation.

The HIPAA rules outline many standards that dictate the exact processes that must be followed when handling uses and disclosures. However, the rule of thumb to remember is that you cannot freely use and disclose a patient’s PHI without first obtaining express HIPAA patient authorization.

HIPAA patient authorizations should be part of onboarding any new patients or clients, and should be gathered using an appropriate HIPAA patient authorization form.

HIPAA Patient Authorizations for Media, Marketing, and Fundraising

Some of the most important elements of HIPAA patient authorization pertain specifically to instances involving media access, marketing, and fundraising. In these instances, granting access to patient PHI to news media, marketing firms, or PR agencies is strictly forbidden unless you have gathered express authorization for these specific instances. Behavioral health providers cannot simply use the same HIPAA patient authorization form for treatment and payment as they can for media, marketing, and fundraising.

A recent HIPAA fine for nearly $1 million was issued by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for a PHI breach involving filming patients without their express HIPAA authorization. Patients were filmed by a local, Boston-area news crew and claimed that they did not give authorization for this use of PHI.

Keep this Boston HIPAA fine example in mind to avoid rising HIPAA fines and potential HIPAA violations that can occur because of improper patient authorizations!

If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Advanced Telehealth Regulations & Ethical Issues: Best Practices & Informed Consent

Essentials of practice guidelines published by the leading professional associations, explained with a focus on what-to-do rather than theory that leaves you empty-handed.

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...