Can a HIPAA Authorization Be Combined With Other Documents? (w/Examples) + FAQs

Yes, a HIPAA Authorization can be combined with other documents in some situations, but the federal Privacy Rule sets strict limits on when, how, and with which documents this combination is allowed. The rules live inside 45 CFR § 164.508(b)(3), which is the “compound authorization” provision drafted by the U.S. Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

When a covered entity gets this rule wrong, the disclosure of protected health information (PHI) becomes invalid, the entity faces civil money penalties, and the patient loses the ability to make a true, informed choice. According to the HHS OCR enforcement data, HIPAA settlements have surpassed $144 million since 2003, and faulty authorization practices remain one of the top five repeat compliance failures cited each year. Compound authorization mistakes are quiet but costly, and they often surface only after a breach, a lawsuit, or a research audit.

Here is what you will learn in this guide:

• 📄 When the Privacy Rule lets you bundle a HIPAA Authorization with another consent form
• ⚖️ How federal rules like 45 CFR § 164.508 interact with the Common Rule at 45 CFR Part 46
• 🧾 The difference between a valid compound authorization and a void one
• 🩺 How state laws, 42 CFR Part 2, and psychotherapy notes change the analysis
• 🚫 The seven most common mistakes attorneys, hospitals, and researchers make when combining forms

What a HIPAA Authorization Actually Is

A HIPAA Authorization is a written permission slip that lets a covered entity use or disclose a person’s protected health information for a purpose that is not already allowed under the Privacy Rule. The authorization is defined in 45 CFR § 164.508(a), and it is required any time PHI is used for marketing, sold, or shared for a purpose outside treatment, payment, or health care operations.

The form must be in plain language, and it must contain six core elements and three required statements. The HHS sample authorization checklist lists the description of the information, the recipient, the purpose, the expiration, the signature, and the right to revoke as the non-negotiable parts.

When a HIPAA Authorization is missing any of these elements, the disclosure becomes a “use or disclosure not permitted” under 45 CFR § 164.502. The consequence is a reportable HIPAA breach, possible civil penalties up to $2,134,831 per violation category in 2025, and a duty to notify each affected patient under the Breach Notification Rule.

A common misconception is that any signed paper from a patient counts as a HIPAA Authorization. It does not. A general consent to treat, a financial agreement, or an arbitration clause is not a HIPAA Authorization unless it meets every element in the regulation.

Why the Form Matters So Much

The form is the only legal bridge between a patient’s private medical record and a third party who has no treatment, payment, or operations role. Without a valid authorization, even a well-meaning disclosure becomes unlawful.

Imagine Dr. Patel, a family physician in Ohio, who hands a drug company representative a printout of patients with diabetes so the company can mail them a coupon. If Dr. Patel never collected a HIPAA-compliant marketing authorization, every patient on that list has a claim under state privacy law and a complaint right with OCR.

The deeper point is that the form is not paperwork. It is the evidence that the patient understood the risk and agreed to it. Courts and OCR investigators read the form first when something goes wrong.

The Six Core Elements

The six core elements come straight from 45 CFR § 164.508(c)(1). They are the description of the PHI, the person authorized to make the disclosure, the recipient, the purpose, an expiration date or event, and the patient’s signature with date.

Skip the expiration date and the form is void. Skip the purpose and the patient cannot meaningfully consent. The OCR FAQ on authorizations repeats this point in plain language.

A common misconception is that “as needed” or “until I revoke” is a valid expiration. It is for some purposes, but for research it must be tied to “end of the research study” or “none” with the proper magic words.

The Compound Authorization Rule (45 CFR § 164.508(b)(3))

The compound authorization rule is the heart of this whole question, and it is found at 45 CFR § 164.508(b)(3). The rule says that a HIPAA Authorization cannot be combined with any other document that creates another legal permission, except in three narrow situations.

The three exceptions are: (1) two HIPAA authorizations for the same research study, (2) a HIPAA authorization combined with another written permission for the same research study, including a research informed consent under the Common Rule, and (3) a psychotherapy notes authorization combined with another psychotherapy notes authorization. Outside of these exceptions, combining is prohibited.

The consequence of an unlawful compound authorization is that the entire authorization is void. A void authorization means the disclosure was made without permission, which triggers breach notification under 45 CFR § 164.404 and exposes the covered entity to OCR enforcement.

A common misconception is that “stapling” two forms together avoids the rule. It does not. OCR looks at substance over form, and any single signature line that grants two permissions creates a compound authorization.

The Research Exception

The research exception was expanded by the HHS Omnibus Rule of 2013 under the HITECH Act. Before 2013, researchers had to keep the HIPAA Authorization separate from the Common Rule informed consent.

After 2013, researchers may combine the two into a single document, which patients sign once. The NIH guidance on combined consent forms walks through the layout choices, including how to use clear headings.

The catch is that if the study includes an optional component, like future use of biospecimens, the optional element must have a separate authorization for that part. A common misconception is that a single signature can cover both required and optional research uses without a separate opt-in box.

The Conditioning Prohibition

45 CFR § 164.508(b)(4) bars a covered entity from conditioning treatment, payment, enrollment, or eligibility for benefits on whether the patient signs an authorization. Conditioning is allowed only for research-related treatment, pre-enrollment underwriting, and certain employment physicals.

If a covered entity conditions care on a signed authorization outside these narrow exceptions, the authorization is void and the entity has committed a separate Privacy Rule violation. The penalty stack can be severe.

A common misconception is that a clinic can refuse to schedule a routine visit until the patient signs every form in the new-patient packet. That is illegal if any form in the packet is a HIPAA Authorization for a non-treatment purpose.

When Combining Is Allowed

Combining is allowed in three precise situations, and each one has its own internal rules. Knowing the boundaries protects the covered entity from a void authorization and protects the patient from being tricked into broader consent than they understood.

The OCR research authorization guidance is the single best plain-English source on this point. The guidance was updated after the 2013 Omnibus Rule and again in 2018 to clarify the rules around tissue banking and future research.

The consequence of getting it right is a smoother research workflow, faster IRB approvals, and fewer signatures from the patient. The consequence of getting it wrong is a void document, an OCR investigation, and possible suspension of federal research funding by the Office for Human Research Protections (OHRP).

Two Research Authorizations Together

You may combine two HIPAA Authorizations for the same research study, even when one covers a required component and the other covers an optional component. The optional component must, however, give the patient a clear way to opt in or opt out separately.

The OCR guidance on combined authorizations requires distinct signature lines or initial boxes for the optional element. Without that, the optional authorization is void, even though the required one may still stand.

A real-world scenario: Sofia, a leukemia patient at a large academic medical center, signs one document that authorizes use of her PHI for the cancer study and also asks her to opt in to future biobank research. If the document has only one signature line, the biobank portion is unenforceable.

HIPAA Authorization With Common Rule Informed Consent

You may combine the HIPAA Authorization with a Common Rule informed consent under 45 CFR Part 46. This is the most popular combination in academic research, and it streamlines the patient’s experience.

The combined document must still contain every HIPAA core element and every Common Rule element. The Common Rule informed consent requirements at 45 CFR § 46.116 include risks, benefits, alternatives, and confidentiality.

A common misconception is that meeting the Common Rule’s confidentiality element automatically meets HIPAA’s authorization requirements. It does not. Each set of elements must appear in the document on its own terms.

Two Psychotherapy Notes Authorizations

You may combine two psychotherapy notes authorizations into one document, but you cannot combine a psychotherapy notes authorization with any other type of authorization. This rule is at 45 CFR § 164.508(b)(3)(ii).

Psychotherapy notes get heightened protection because they reveal the most sensitive aspects of mental health care. The HHS guidance on psychotherapy notes explains why these notes are kept separate even from the rest of the medical record.

A common misconception is that “mental health records” and “psychotherapy notes” are the same thing. They are not. Psychotherapy notes are the therapist’s private analysis kept separate from the chart, and they have their own authorization rules.

When Combining Is Prohibited

Combining is prohibited any time a HIPAA Authorization is bundled with a non-research permission, a marketing consent for a different purpose, or a treatment-related consent. The rule is strict because patients sign too many forms too quickly, and bundling steals informed choice.

The consequence of an unlawful combination is that the entire authorization is invalid. The covered entity cannot rely on the signature, and any disclosure made under the void authorization is a Privacy Rule violation.

The HIPAA Journal compound authorization analysis and AHIMA’s release of information practice brief both warn that hospital admission packets are the single most common source of unlawful compound authorizations.

Hospital Admission Packets

A hospital admission packet often contains a general consent to treat, a financial responsibility agreement, an arbitration clause, and a request for a Notice of Privacy Practices acknowledgment. Adding a HIPAA Authorization for marketing to that packet creates a compound authorization that is void.

The fix is to keep the HIPAA Authorization on a separate page with its own signature. The OCR FAQ on combined documents confirms that physical separation is the cleanest way to comply.

A common misconception is that a Notice of Privacy Practices acknowledgment is itself an authorization. It is not. It is a receipt, not a permission, and it is governed by 45 CFR § 164.520.

Marketing and Treatment Together

Marketing authorizations under 45 CFR § 164.508(a)(3) cannot be combined with treatment consents. The reason is that marketing pays the covered entity, while treatment consent serves the patient, and the two interests are not aligned.

If a covered entity bundles them, the marketing authorization is void, and the entity has also failed the conditioning prohibition. The HHS OCR has cited bundling in several resolution agreements.

A common misconception is that “refill reminders” require a marketing authorization. They usually do not, because refill reminders are excluded from the marketing definition under 45 CFR § 164.501.

Three Real Scenarios

The cleanest way to see how the compound authorization rule plays out is through scenarios. Each example below maps to a real fact pattern reported in OCR guidance, IRB training materials, or healthcare law treatises.

Named Examples in Practice

Concrete people make the rule easier to remember. Each example below shows a different angle of the compound authorization question.

Example 1: Sofia, the Cancer Trial Participant

Sofia is enrolled in a phase III leukemia trial at a teaching hospital. The IRB-approved consent document is a single sixteen-page form that combines the Common Rule informed consent with a HIPAA Authorization for the trial.

The document is valid because the trial is a single research study, the document contains every Common Rule element under 45 CFR § 46.116, and it contains every HIPAA element under 45 CFR § 164.508(c). Sofia signs once and the disclosures are lawful.

The optional biobank section has a separate opt-in checkbox and a separate signature line. That separation matters because future research is not the same study, and conditioning the trial on biobank consent would violate § 164.508(b)(4).

Example 2: David, the Personal Injury Plaintiff

David retains a plaintiffs’ firm after a car wreck. The firm sends him a retainer agreement, a contingency fee schedule, and a HIPAA Authorization to release all of his medical records to the firm.

The firm puts the HIPAA Authorization on its own page with its own signature line. That is the cleanest compliance path because the retainer is not a HIPAA-permitted purpose, and bundling it with the authorization would create an unlawful compound authorization.

If the firm had combined the retainer with the HIPAA Authorization on a single signature line, the authorization would be void, and any provider receiving the bundled form should refuse to release records. The American Health Lawyers Association routinely flags this as a top issue in its release-of-information training.

Example 3: Aaliyah, the Marketing Target

Aaliyah visits a dermatology clinic for an acne consultation. The new-patient packet includes a treatment consent, a financial agreement, and a marketing authorization for a partner skincare brand.

If all three are on one signature line, the marketing authorization is void and the clinic has violated the compound authorization rule. If the marketing authorization is on its own page with its own signature, Aaliyah can lawfully opt in to marketing without losing her right to treatment.

The clinic also cannot condition the consultation on Aaliyah’s marketing consent. That would violate § 164.508(b)(4) and could trigger an OCR complaint.

Combining With Specific Document Types

Different documents raise different questions. The analysis below walks through the most common pairings that come up in clinical, legal, and research settings.

Powers of Attorney and Advance Directives

A durable power of attorney for health care or an advance directive may reference a HIPAA Authorization, but it should not contain the authorization on the same signature line. Many state forms, including the California Advance Health Care Directive, include a separate HIPAA-style release section.

The cleanest practice is to draft the power of attorney with its own signature, then attach a stand-alone HIPAA Authorization that names the agent as the recipient of PHI. This avoids the compound authorization issue entirely.

A common misconception is that an agent under a power of attorney is automatically a “personal representative” under HIPAA. The agent often is, under 45 CFR § 164.502(g), but only when state law gives the agent authority to make health care decisions.

Settlement Agreements and Releases

A litigation settlement agreement often contains a release of claims, a confidentiality clause, and a request for medical records. Combining a HIPAA Authorization with the settlement on a single signature line creates a compound authorization that is void.

The fix is the same as in the personal injury example. Put the HIPAA Authorization on a separate page with its own signature, and reference it in the settlement agreement by exhibit.

A common misconception is that a court order embedded in a settlement waives the HIPAA Authorization requirement. It can, under § 164.512(e), but only if the order itself meets the regulation’s specificity test.

Employment and FMLA Forms

An employer that requests medical certification under the Family and Medical Leave Act is not a covered entity, and FMLA forms are not HIPAA Authorizations. Still, when the employer asks the employee to sign a release sent to the employee’s doctor, the doctor must treat that release like any other HIPAA Authorization.

If the employee’s release is bundled with the FMLA certification on a single signature line, the doctor should refuse the request because the authorization may be a compound authorization. The DOL FMLA forms keep the certification and the medical release on separate pages for this reason.

A common misconception is that the Americans with Disabilities Act requires the employee to sign whatever release the employer sends. It does not, and the ADA’s confidentiality rules add another layer of protection.

Subpoenas and Court Orders

A subpoena alone does not authorize a covered entity to release PHI under § 164.512(e). The covered entity needs either a court order, a HIPAA-compliant authorization signed by the patient, or “satisfactory assurances” that the patient was notified.

A subpoena should never be combined with a HIPAA Authorization signed by the patient on the same page. The two serve different purposes, and the bundling muddies the analytical path the covered entity must follow.

A common misconception is that an attorney-issued subpoena equals a court order. It does not, and the HHS guidance on subpoenas is explicit on this point.

State Law Overlays

State law often adds layers of protection on top of HIPAA. When state law is more protective, it controls under the HIPAA preemption rule at 45 CFR Part 160 Subpart B. The result is that compound authorization rules can be even stricter at the state level.

The consequence of ignoring state law is double exposure: an OCR penalty under federal law and a private right of action or state attorney general action under state law. California, New York, and Texas are the most active enforcers.

A common misconception is that HIPAA replaces state privacy law. It does not. HIPAA sets a federal floor, and state law builds on top of it.

California’s CMIA

The California Confidentiality of Medical Information Act (CMIA) requires its own consent for disclosures, and it allows a private right of action. A CMIA authorization can be combined with a HIPAA Authorization, but the document must satisfy both sets of elements.

The consequence of skipping the CMIA elements is statutory damages of $1,000 per violation plus actual damages. A class action over a faulty bundled form can reach into the millions.

A common misconception is that a CMIA authorization is automatically HIPAA-compliant. It is not, and many California hospitals use a “stacked” authorization that meets both regimes.

New York’s Mental Hygiene Law

New York Mental Hygiene Law § 33.13 protects mental health records with extra force. A New York provider cannot combine a mental health authorization with a general medical authorization because state law treats mental health records as a separate category.

The consequence of bundling is a state-level violation that is independent of HIPAA. New York’s Office of Mental Health publishes its own confidentiality guidance for providers.

A common misconception is that the federal psychotherapy notes rule covers all of New York’s mental health records. It does not, and Mental Hygiene Law § 33.13 is broader.

42 CFR Part 2 (Substance Use Disorder Records)

42 CFR Part 2 governs records from federally assisted substance use disorder programs. The rule has its own consent requirements, and a Part 2 consent cannot be combined with a regular HIPAA Authorization on the same signature line.

The 2024 final rule from SAMHSA aligning Part 2 with HIPAA softened some restrictions, but the core compound authorization prohibition remains. A bundled Part 2 form is void.

A common misconception is that the 2024 alignment lets providers treat Part 2 records like ordinary PHI. It does not, and disclosure for litigation still requires a court order or specific consent.

Texas Medical Records Privacy Act

The Texas Medical Records Privacy Act covers any person who handles PHI in Texas, even if the person is not a HIPAA covered entity. Texas authorizations can be combined with HIPAA Authorizations, but the document must include the Texas-specific notice of disclosure for marketing.

The consequence of missing the Texas notice is a state penalty up to $5,000 per violation, plus mandatory training. The Texas Attorney General has been active in enforcement.

A common misconception is that Texas only regulates Texas-licensed entities. The statute reaches anyone who receives PHI in Texas, including out-of-state vendors.

Mistakes to Avoid

Compound authorization mistakes are easy to make and hard to undo. Each mistake below is paired with a real consequence so the stakes are clear.

• Stapling forms together on a single signature line, which voids the entire authorization under § 164.508(b)(3)
• Combining marketing with treatment consent, which voids the marketing portion and triggers an OCR complaint
• Bundling psychotherapy notes with general medical records authorization, which voids the psychotherapy notes release
• Conditioning treatment on signing the authorization, which violates § 164.508(b)(4) and exposes the entity to penalties
• Forgetting the optional opt-in box for future research, which voids the optional research authorization
• Skipping the revocation statement, which makes the authorization void on its face
• Using vague descriptions of PHI, like “all records,” which fails the specificity element in some states such as New York
• Failing to add the Texas marketing notice for Texas patients, which leads to a state penalty up to $5,000
• Treating the Notice of Privacy Practices acknowledgment as an authorization, which leaves the entity without a valid form
• Ignoring state law preemption, which leads to double exposure under HIPAA and state law

Do’s and Don’ts

The list below is short, but each item answers a real question that comes up in compliance audits.

Do’s

• Do separate the HIPAA Authorization onto its own page when bundling with non-research documents
• Do use distinct signature lines for required and optional research components
• Do include all six core elements and three required statements in every authorization
• Do check state law before drafting any authorization, especially in California, New York, and Texas
• Do train front-desk staff on the conditioning prohibition under § 164.508(b)(4)

Don’ts

• Don’t combine a psychotherapy notes authorization with anything except another psychotherapy notes authorization
• Don’t bundle a marketing authorization with a treatment consent or financial agreement
• Don’t condition appointments or care on signing a non-treatment authorization
• Don’t use a Notice of Privacy Practices acknowledgment as a substitute for an authorization
• Don’t rely on a subpoena alone without checking § 164.512(e)

Pros and Cons of Combining Documents

Combining documents has real benefits and real risks. The summary below tracks both sides.

Pros

• Combined consent forms reduce signature fatigue and improve patient understanding
• Researchers save time at enrollment by using a single combined consent under § 164.508(b)(3)(i)
• A single document creates a single audit trail for IRB and OCR review
• Combined forms support patient-centered communication when drafted in plain language
• A clean combined form reduces the risk of lost paperwork during multi-site research

Cons

• Combined forms increase the risk of compound authorization violations when drafted poorly
• Patients may sign a long combined form without reading, which weakens informed consent
• A void compound authorization triggers breach notification and OCR penalties
• State law overlays can make a combined form non-compliant in one state but valid in another
• Drafting a compliant combined form requires legal review and IRB approval, which adds cost

Key Entities to Know

A few organizations and concepts come up again and again in this analysis. Knowing what each one does makes the rest of the rules easier to follow.

The Office for Civil Rights (OCR) inside HHS enforces HIPAA. OCR publishes guidance, investigates complaints, and signs resolution agreements with covered entities that violate the rules.

The Office for Human Research Protections (OHRP) inside HHS enforces the Common Rule. OHRP works closely with Institutional Review Boards (IRBs) at academic medical centers and hospitals.

The Substance Abuse and Mental Health Services Administration (SAMHSA) enforces 42 CFR Part 2. SAMHSA’s 2024 final rule aligned Part 2 more closely with HIPAA but kept the compound authorization prohibition intact.

The Federal Trade Commission (FTC) enforces the Health Breach Notification Rule for entities not covered by HIPAA. The FTC’s 2024 enforcement actions against GoodRx and BetterHelp show how non-HIPAA entities still face federal privacy enforcement.

Recap of Key Rulings and Enforcement Actions

OCR resolution agreements and federal court rulings shape how the compound authorization rule is read in practice. A few are worth remembering.

The Anthem 2018 resolution agreement for $16 million is the largest HIPAA settlement in history. The agreement focused on a breach, but it set the modern baseline for OCR penalties.

The Memorial Hermann Health System resolution agreement of 2017 for $2.4 million addressed an unauthorized disclosure that flowed from a faulty release process. The case is often cited in compound authorization training.

The Cignet Health civil money penalty of 2011 for $4.3 million was the first HIPAA civil money penalty issued by OCR. It involved patient access denials, which often start with a faulty authorization process.

Step-by-Step Guide to Drafting a Compliant Combined Document

The drafting process is methodical. Each step below is one decision, and each decision has its own consequence if skipped.

Step 1: Identify the Purpose

Identify whether the disclosure is for treatment, payment, operations, marketing, sale, or research. Each purpose has its own rules under § 164.508.

The consequence of misclassifying the purpose is that the wrong elements appear in the form. A marketing form missing the marketing-specific statements is void.

A common misconception is that “research” includes quality improvement. It usually does not, and quality improvement falls under operations.

Step 2: Confirm the Combination Is Allowed

Check whether the combination is permitted under § 164.508(b)(3). If not, separate the authorization onto its own page.

The consequence of skipping this step is a compound authorization violation. The fix is structural, not cosmetic.

A common misconception is that the rule is about the physical document. It is about legal permissions, and a single PDF can hold two physically separate authorizations.

Step 3: Include Every Required Element

Include the six core elements and the three required statements. Then add any state-specific elements such as the Texas marketing notice.

The consequence of missing an element is a void authorization on its face. The fix is a checklist used by every drafter.

A common misconception is that “all medical records” satisfies the description-of-PHI element everywhere. It does not, and stricter states require category-by-category descriptions.

Step 4: Add Distinct Signature Lines for Optional Components

Add a separate opt-in checkbox or initial line for any optional component. Optional means anything the patient can refuse without losing access to the main service.

The consequence of skipping this step is a void optional authorization. The main authorization may still stand.

A common misconception is that initials alone are not a signature. Initials work for opt-in boxes if the document explains their effect.

Step 5: Submit to IRB or Privacy Officer

Submit the draft to the IRB for research or to the Privacy Officer for clinical operations. Both reviewers should compare the form against the regulation and against state law.

The consequence of skipping this step is a faulty form put into circulation. The fix is internal review before any patient ever signs.

A common misconception is that IRB approval cures any HIPAA defect. It does not, and OCR investigates HIPAA issues independent of the IRB.

FAQs

Can a HIPAA Authorization be combined with a general consent to treat?

No. A general consent to treat is a treatment consent, and combining it with a HIPAA Authorization on a single signature line creates a compound authorization that is void under § 164.508(b)(3).

Can a HIPAA Authorization be combined with a Common Rule informed consent for the same study?

Yes. The 2013 Omnibus Rule expressly permits this combination as long as both regulatory checklists are satisfied within the single document.

Can two HIPAA Authorizations for the same research study be combined?

Yes. § 164.508(b)(3)(i) allows two research authorizations to share a document, but optional components need their own opt-in.

Can a psychotherapy notes authorization be combined with another authorization?

No. A psychotherapy notes authorization may only be combined with another psychotherapy notes authorization under § 164.508(b)(3)(ii).

Can a HIPAA Authorization be conditioned on receiving treatment?

No. Conditioning is barred under § 164.508(b)(4), except for narrow research, underwriting, and pre-employment contexts.

Can a hospital admission packet contain a HIPAA Authorization?

Yes. A packet may include a HIPAA Authorization if the authorization is on its own page with its own signature, and not combined with treatment or financial consents.

Can a HIPAA Authorization be combined with a personal injury retainer?

No. A retainer should not share a signature line with a HIPAA Authorization, because doing so creates a compound authorization that voids the release of records.

Can a power of attorney include HIPAA release language?

Yes. A power of attorney can reference HIPAA, but the cleanest approach is to attach a stand-alone authorization that meets every element of § 164.508(c).

Can a 42 CFR Part 2 consent be combined with a HIPAA Authorization?

No. Part 2 records require their own consent under the SAMHSA 2024 final rule, and bundling with a HIPAA Authorization on one signature line is prohibited.

Can a marketing authorization be combined with a treatment consent?

No. Marketing and treatment serve opposing interests, and combining them creates a void authorization plus a possible conditioning violation.

Can a HIPAA Authorization be combined with a settlement agreement?

No. A settlement should reference the HIPAA Authorization as an exhibit, not embed it on a shared signature line, to avoid a compound authorization problem.

Can a HIPAA Authorization be revoked after it is signed?

Yes. Patients may revoke at any time in writing under § 164.508(b)(5), except to the extent the covered entity has already acted on it.

Can state law require more than HIPAA for a combined authorization?

Yes. State law often adds elements, and stricter state law preempts HIPAA under 45 CFR Part 160 Subpart B, as seen in California, New York, and Texas.