Which action requires patient authorization under HIPAA?

The action that requires patient authorization under HIPAA is the selling of protected health information (PHI) for marketing purposes. This is due to the sensitive nature of health information and the need to protect patient privacy. Under HIPAA regulations, individuals have the right to control who can access and use their health information, particularly when it comes to commercial uses such as marketing.

When PHI is sold or used for marketing, it can potentially expose individuals to unwanted solicitations or harm their privacy, which is why explicit patient consent is mandated. This requirement ensures patients maintain control over their personal information and are fully informed about how it may be used beyond standard healthcare practices.

In contrast, disclosing PHI for treatment purposes, sharing it with family members, or transferring it to a health insurer are actions that generally do not require patient authorization because they fall within the scope of treatment, payment, or healthcare operations—key areas where healthcare providers can operate without additional consent under HIPAA.