Home Contacts Site Map
Up HIPAA worksheet Data Extraction / Business Associates Identifiers UB Research FAQ Authorizations Waiver of Authorization Review Prep to Research Research on Decedents Transition Provisions Limited Datasets


This page contains forms specific to the process of developing a valid HIPAA authorization.  If you download copies of these forms for local use, be sure to check back here occasionally for updates.

If you need to identify subjects from individually identifiable health information for study recruitment purposes prior to acquiring the subject's authorization, be sure you also have a limited waiver for recruitment purposes in place (see the Research Worksheet for more information).

(revised 9/11/2008) IMPORTANT: When using the Authorization Template, the listing of information to be received in section (1), and the list of places that will be providing this information as well as the people to whom information holders will be giving this information listed in section (2), needs to be exhaustive and thorough.  A covered entity must be able to rely on an appropriately executed Authorization as a stand alone document to identify itself as being able to provide information, the information it is authorized to provide, and who they are authorized to provide it to.  Generalizations in section (1) such as 'data required for this study' are not sufficient.

Generally authorizations can be combined with other documents, such as the informed consent.  One exception to this is an authorization to release psychotherapy notes, which cannot be combined with other documents.

Special types of Health Information

New York State Law sets additional requirements on the disclosure of certain types of information by health care workers, including but not limited to: Cancer Information, Communicable Diseases within New York City , HIV/AIDS, Tuberculosis, Sexual Abuse, Drug Abuse, Births and Deaths, Early Intervention Services, Genetic Information, Alcohol and Substance Abuse, and Mental Health.  In situations where research involves such information, State Law requirements, in addition to HIPAA requirements need to be considered.  A HIPAA compliant authorization does not remove the need to understand and comply with any additional requirements governing disclosures associated with these types of information.

Investigator Guidelines provide an overview of authorization requirements to the investigator.


Last updated April 17, 2003 (.doc) (.pdf)

Authorization Validity Checklist with Examples provides examples that can be cut and pasted into the authorization template.  This document will be used by the IRB to validate authorizations submitted to it for review.


Last modified August 2, 2007 (.doc) (.pdf)

Authorization Template Use the template to prepare your authorization form for IRB review.  Includes required provisions.


Last updated August 25, 2009 (.doc) (.pdf)


Authorization forms should be submitted along with other paperwork to the IRB.  When a HIPAA authorization is being used, the authorization and informed consent will only be approved jointly, i.e., an informed consent will not be approved until the authorization is approved and visa-versa.  You must have a separate, IRB approved authorization for each approved protocol which specifically identifies the protocol it is associated with.  The authorization may not be further modified (boxes checked, information elements added) after IRB approval.

After obtaining a research subject's signature on a HIPAA authorization, a copy of that signed authorization will have to be provided to the covered entity when you wish to use it to access protected health information.  Handling of this varies by covered entity:

bulletKALEIDA Health: (as of 4/9/2003) signed authorization forms must be delivered to the Supervisor of Health Information Management at each KALEIDA site supplying PHI to the researcher.
bulletECMC Healthcare Network: (default until further guidance is provided) signed authorization forms should be sent to the ECMC HIPAA privacy officer, ECMC, 462 Grider Street Buffalo, NY 14215.
bulletSchool of Dental Medicine: (default until further guidance is provided) Please contact the SDM HIPAA coordinator, Mike Breen, for SDM policy on this matter
bulletUB Research not occurring in a covered entity/function: researcher must maintain the signed authorizations on file.

This material is designed for internal University at Buffalo use only and is copyrighted.  Information and documents available on this site may be freely copied and used with appropriate attribution to the University at Buffalo.  None of the information on these pages should be construed as legal advice or expert opinion with respect to how any particular function or entity engages in work to come into compliance with HIPAA.
Last updated: July 28, 2009.  Privacy Policy
Hit Counter