Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 12: Revocation of Authorization



An agreed upon limitation on use and disclosure of PHI about an individual to carry out Treatment, Payment or health care Operations (TPO) and disclosures for involvement in the individual’s care. For instance, UTD may use and disclose PHI for TPO but the patient may request UTD not to use or disclose PHI for other instances. Please refer to the Requests for Restricting Uses and Disclosures of PHI for guidance on patient request for restrictions.


An individual exercises the right to void a prior authorization to use and disclose PHI. However, UTD will not be liable for a use or disclosure of a patient’s PHI after a revocation, if UTD in good faith based its actions upon a prior authorization, and has already acted in reliance. Once UTD has utilized a patient’s PHI for TPO, UTD is no longer required to use or disclose that PHI, and may no longer use or disclose the PHI without the patient’s authorization.


Revocation of Authorization to Release PHI

An individual may revoke an authorization at any time, provided that the revocation is in writing, unless UTD has already provided PHI based on the patient’s authorization. UTD will stop providing information based on a patient’s authorization as soon as possible. The attached revocation form should be used to insure the requirements of this section are met.


An initial authorization form is completed with the subsidiary medical record custodian or the unit medical record custodian. In the case of a patient requesting a revocation of a prior authorization, the revocation form will be administered from the subsidiary medical record custodian or Medical Records Department (MRD).

It is the responsibility of the subsidiary medical record custodian to forward all original revocation form to MRD. MRD will be responsible for notifying the departments or individuals (currently with the authorization to use the patient’s PHI) that the patient has revoked his/her authorization.

Once notified by MRD of the revocation, the departments or individuals are responsible for ensuring the patient’s PHI is no longer subject to further use or disclosure.


All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal.