Frequently Asked Questions

What is a HIPAA Authorization form?

A HIPAA Authorization form is a formal document used to obtain a person’s signed permission for a covered entity (e.g., a healthcare provider) to use and disclose their protected health information (PHI) for a purpose that is not otherwise permitted under the HIPAA Privacy Rule. When signed HIPAA Authorization is required, a person’s PHI may only be used and disclosed in the ways specified in the signed Authorization form.


When are researchers required to obtain HIPAA Authorization?

UC Berkeley researchers who intend to access or obtain PHI from one or more of UC Berkeley’s covered entities must obtain signed HIPAA Authorization from each person (“research participant”) prior to accessing or obtaining their PHI for research purposes. UC Berkeley’s covered entities are University Health Services (including its health care services on behalf of Intercollegiate Athletics), and the Optometry Clinic. HIPAA Authorization must be obtained from research participants in addition to informed consent. There are exceptions to the HIPAA Authorization requirement, however, such as:

  • When the research cannot practicably be conducted if participants were required to provide Authorization for use or disclosure of their PHI, and researchers provide adequate justification for the IRB to approve a waiver or alteration of Authorization;
  • When researchers will obtain a Limited Data Set under a Data Use Agreement with the covered entity;
  • Use of PHI for activities preparatory to research; and,
  • Use of decedents’ PHI.

Researchers should review the CPHS Guidelines on HIPAA and Human Subjects Research and University of California Policy on HIPAA and Research for detailed information about exceptions to obtaining HIPAA Authorization.

UC Berkeley researchers who will access or obtain PHI from a non-UC Berkeley covered entity must comply with the HIPAA requirements of the entity from which the PHI will be obtained.


Is HIPAA Authorization separate from informed consent?

The answer to this question varies according to state and/or institution. For California research participants, CA Civil Code 56.11 requires that HIPAA Authorization be “clearly separate from any other language present on the same page” and that it be “executed by a signature which serves no other purpose than to execute the authorization.” HIPAA Authorization must also include all signature lines (with date) in accordance with CA Civil Code 56.11.


What information must be included in a HIPAA Authorization form?

HIPAA Authorization must include the following key elements in order for the Authorization to be valid:

  1. A specific and meaningful description of the PHI to be used or disclosed.
  2. The name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure.
  3. The name or other specific identification of the intended PHI recipient, i.e., the person(s) or class of persons to whom the covered entity may make the requested use or disclosure.
  4. A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is sufficient when an individual initiates the Authorization and does not, or elects not to, provide a statement of the purpose.
  5. An expiration date or an expiration event that relates to the individual. For research, “end of the research study” or “none” are permissible, including for the creation and maintenance of a research database or repository.
  6. Signature of the individual (e.g., the research participant) OR their legally authorized representative (LAR), and the date.

The Authorization form must be provided to the research participant in a language that is understandable to them. In addition, per California law, 14-point font is required for all Authorization forms. UC Berkeley researchers who wish to obtain HIPAA Authorization for PHI from one of UC Berkeley’s covered entities should use the UC template (including translated versions) available at UCOP Ethics, Compliance and Audit Services: HIPAA Authorization forms.

UC Berkeley researchers are responsible for ensuring that the appropriate document is used for obtaining HIPAA authorization. UC Berkeley’s CPHS/OPHS is not required to review and approve such Authorizations.

Related information