HIPAA Release Form
To respect HIPAA compliance rules, a signed HIPAA release form must be obtained from a patient before their protected health information can be shared with other individuals or organizations, except in the case of routine disclosures for treatment, payment or healthcare operations permitted by the HIPAA Privacy Rule. Releasing medical records without a HIPAA authorization form is a HIPAA violation.
Click here for HIPAA release form
(free PDF document – Opens directly in the browser)
Two States have their own forms
Click here for California HIPAA release form
Click here for Texas HIPAA release form
Summary of the HIPAA Privacy Rule
The HIPAA Privacy Rule (45 CFR §164.500-534) became effective on April 14, 2001. The primary purpose of the HIPAA Privacy Rule is to ensure the privacy of patients is protected while allowing health data to flow freely between authorized individuals for certain healthcare activities.
The HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities) to use and disclose individually identifiable protected health information without an individual’s consent for treatment, payment, and healthcare operations. In all cases, when individually identifiable protected health information needs to be disclosed, it must be limited to the ‘minimum necessary information’ to achieve the purpose for which the information is disclosed.
The Privacy Rule also gives patients the right to access the health data created, stored, or maintained by their healthcare providers. Patients are permitted to obtain the data in a covered entity’s designated data set – a group of records maintained by the covered entity that is used to make decisions about a patient’s healthcare. Patients are also permitted to amend certain information held by a covered entity if it is discovered to be incorrect. Such requests should be obtained from a patient in writing.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
HIPAA Journal Privacy Policy
Covered entities are not required to obtain consent from patients for routine disclosures for treatment, payment or healthcare operations, although some covered entities still choose to do so. This provides them with an additional level of protection in the event of a privacy complaint or audit.
Such authorizations detail when protected health information will be used by the covered entity, the entities to which that information will be disclosed, and the circumstances under which information will be used and disclosed. Essentially, such an authorization duplicates much of what is detailed in a covered entity’s Notice of Privacy Practices.
When is a HIPAA Authorization to Release Medical Information Form Required?
A HIPAA release form must be obtained from a patient before their protected health information is disclosed for any purpose other than those detailed in 45 CFR §164.506, which are specifically covered in 45 CFR §164.508 and summarized below:
- Prior to the disclosure of PHI to a third party for reasons other than the provision of treatment, payment or other standard healthcare operations – E.g. disclosing information to an insurance underwriter
- Prior to PHI being used for marketing or fund-raising purposes
- Prior to PHI being provided to a research organization
- Prior to psychotherapy notes being disclosed
- Prior to the sale of PHI or sharing that involves remuneration
What Information Should be Detailed on a HIPAA Release Form?
A HIPAA-compliant HIPAA release form must, at the very least, contain the following information:
- A description of the information that will be used/disclosed
- The purpose for which the information will be disclosed
- The name of the person or entity to whom the information will be disclosed
- An expiration date or expiration event when consent to use/disclose the information is withdrawn. For example, an expiration event may be when a research study is completed
- A signature and date that the authorization is signed by an individual or an individual’s representative. If a representative is signing the form, the relationship with the patient must be detailed along with a description of the representative’s authority to act on behalf of the patient.
The HIPAA release form must also include statements that advise the individual of:
- Their right to revoke their authorization
- Any exceptions to the individual’s right to revoke the authorization
- Details of how the authorization can be revoked
- To the extent that an individual’s right to revoke authorization is included in the notice required by § 164.520 (Notice of Privacy Practices)
- That the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization
- That there is potential for information disclosed under the terms of the authorization to be redisclosed by the recipient and no longer protected by 45 CFR Part 164, Subpart E
A HIPAA release form must be written in plain language and a copy of the signed form should be provided to the patient.
HIPAA Release Form FAQs
What is a HIPAA release form?
A HIPAA release form is a document that – when signed – allows healthcare providers to share a patient’s protected health information (PHI) with specified individuals or organizations, according to the details stipulated in the form. The details usually consist of what PHI is being shared, why it is being shared, who it is being shared with, and – if applicable – for how long it is being shared.
When is a HIPAA release form necessary?
A HIPAA release form is necessary whenever PHI is used or disclosed for a purpose not specifically required or permitted by the Privacy Rule. Healthcare providers may also use a HIPAA release form to document patient consent for disclosure of PHI in which the patient should be given the opportunity to agree or object to the disclosure (45 CFR §164.510).
Who should sign a HIPAA release form?
The patient should sign the HIPAA release form unless they are a minor or incapable of signing the form. In cases where the patient is a minor or incapable of signing the HIPAA release form, a parent, guardian, or other person acting in loco parentis can sign the form on behalf of a minor, while a personal representative can sign the form in other circumstances.
Can a HIPAA authorization be revoked?
A HIPAA authorization can be revoked at any time by the patient or their personal representative. The revocation must be in writing and should take effect immediately unless a covered entity has already taken an action based on the initial authorization that cannot be reversed, or unless the authorization was obtained as a condition of obtaining insurance coverage.
It is important to note that, if the initial authorization permitted a covered entity to use a patient’s PHI in (for example) a social media marketing campaign, the covered entity has no control over how PHI is used or disclosed once it is in the public domain. Patients should be made aware of this prior to signing an authorization because, even if the covered entity deletes any social media posts containing the patient’s PHI, the covered entity is incapable of preventing further disclosures.
How long is a HIPAA authorization valid?
A HIPAA authorization is valid until a patient or their personal representative revokes it unless an expiry date is included in the initial authorization form. In the event of PHI being disclosed for research purposes, the expiry date may be entered as “at the conclusion of the research study” or “at the request of the patient”. In most other cases, the field is completed with the word “none”.
Is a digital signature valid on a HIPAA release form?
Digital signatures are valid on a HIPAA release form as long as they comply with the requirements of the Electronic Signatures in Global and National Commerce Act. HHS is currently proposing the use of digital signatures on some electronic transactions, and the standards in this proposed rule may – in the future – be extended to cover digital signatures on HIPAA release forms.
