Is a verbal agreement for the use of PHI sufficient under HIPAA?

Under HIPAA, written authorization is generally required for most disclosures of Protected Health Information (PHI). This ensures that consent is documented clearly and provides a reliable record of the patient's permissions regarding their sensitive health information. While verbal agreements may be acceptable in some specific and limited situations, they do not provide the same level of security or accountability as a written authorization.

The requirement for written consent helps to protect the rights of individuals by preventing unauthorized use or disclosure of their PHI, thus maintaining confidentiality and trust in the healthcare system. Given this framework, the typical expectation is that a formal, documented agreement is necessary for most disclosures, making the answer about written authorization the correct one.