A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.

The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.

The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.

A description of each purpose of the requested use or disclosure.

Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure (“end of the research study” or “none” are permissible for research, including for the creation and maintenance of a research database or repository).

Signature of the individual and date. If the individual’s legally authorized representative signs the Authorization, a description of the representative’s authority to act for the individual must also be provided.

A statement of the individual’s right to revoke his/her Authorization and how to do so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity’s notice of privacy practices.

Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.

A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.[ HIPAA Research, at 15.]