HIPAA Authorization Form: Release of Medical Records

What is a HIPAA Authorization Form?

A HIPAA authorization form is a legal document that gives a covered entity (healthcare provider, health plan, or healthcare clearinghouse) permission to use or disclose a patient's protected health information (PHI) for purposes beyond treatment, payment, or healthcare operations. Under the Health Insurance Portability and Accountability Act (HIPAA), patients have the right to control who sees their medical information.

When is a HIPAA Authorization Required?

An authorization is required when:

• Secondary use requests: A patient wants their records sent to an insurance company, employer, or third party
• Research participation: Medical records are needed for clinical trials or research studies
• Legal matters: An attorney or court requests medical records
• Family or friend access: A patient wants someone else to receive copies of their records
• Life insurance: Records are needed for underwriting purposes
• Workers' compensation: Occupational injury records are requested by insurers

An authorization is NOT required for:

• Treatment, payment, or healthcare operations
• Court-ordered disclosures (subpoenas)
• Public health activities (disease reporting)
• Law enforcement requests (limited circumstances)
• Abuse/neglect reporting

Required Elements (45 CFR 164.508)

A valid HIPAA authorization must include:

1. Specific Description of Information to Release

• Names of specific conditions or dates of service
• Example: "All records related to orthopedic surgery performed on [date]"
• Avoid vague language like "all medical records"

2. Recipient Information

• Full name and address of the person/organization receiving the records
• Be specific if multiple providers are involved

3. Purpose of Disclosure

• State the specific reason for releasing information
• Example: "For independent medical evaluation for workers' compensation claim"
• Cannot be open-ended ("for any purpose")

4. Expiration Date or Event

• Must specify when authorization expires
• Can be date-specific (e.g., "December 31, 2026") or event-specific (e.g., "upon completion of legal proceedings")
• If no expiration, authorization may still be valid but should have a reasonable timeframe

5. Patient Statement

• Must include language stating the patient understands they can revoke the authorization
• Example: "I understand I may revoke this authorization at any time by providing written notice to the healthcare provider"

6. Signature and Date

• Patient's signature (or legal representative if patient lacks capacity)
• Parent/guardian for minors (varies by state)
• Date must be included

7. Authorization Validity

• Statement that authorization is valid even if patient refuses treatment

Step-by-Step Guide to Completing a HIPAA Authorization

Step 1: Gather Information

• Patient name, date of birth, and medical record number
• Specific dates or conditions related to records needed
• Complete contact information for recipient

Step 2: Choose the Right Type

• Standard authorization: For routine record releases
• Psychotherapy notes: Requires separate authorization
• Substance abuse records: May require special authorization under 42 CFR Part 2

Step 3: Complete Required Fields

Fill in all required sections with specific, clear information:

Patient Name: [Full Legal Name]
Date of Birth: [MM/DD/YYYY]
Medical Record Number: [if applicable]

I authorize [Provider Name] to disclose the following health information:
- Specific records: [describe dates/conditions]
- Record type: [medical records, lab results, imaging, etc.]

To: [Recipient Name and Organization]
Address: [Complete Mailing Address]

For the purpose of: [State specific purpose]

This authorization will expire on: [Date or event]

Step 4: Review for Accuracy

• Verify all names are spelled correctly
• Confirm dates are accurate
• Check that purpose is specific and appropriate
• Ensure expiration date is reasonable

Step 5: Sign and Date

• Patient must sign and date in original ink (or electronic signature if provider accepts)
• Obtain witness signature if required by state law
• Keep a copy for your records

Step 6: Submit

• Provide to the healthcare provider maintaining the records
• Keep a copy for your file
• Allow 10-30 business days for processing

Common Scenarios

Scenario 1: Releasing Records to an Attorney

Purpose: Legal representation in personal injury claim Required: Specific incident date, clear statement that purpose is legal proceedings Tip: Attorney's office will often provide their own authorization form

Scenario 2: Medical Records for Employment

Purpose: Employer requires medical clearance Required: Specific limitations on what employer can see (some providers may redact certain information) Tip: Be specific about what information is necessary

Scenario 3: Records for Second Opinion

Purpose: Consultation with specialist Recipient: New physician's name and address Tip: May be able to use more informal authorization if new physician will request directly

Scenario 4: Insurance Company Disclosure

Purpose: Health insurance underwriting or claims processing Required: Insurance company name and claim number Tip: Often insurance companies will provide their own form

Patient Rights Under HIPAA

Right to Access

• You can request copies of your medical records

Right to Amend

• You can request corrections to inaccurate information

Right to Revoke

• You can cancel an authorization at any time by written request
• Revocation does not apply to disclosures already made

Right to Accounting of Disclosures

• You can request a list of who has accessed your records

Right to Confidentiality

• Your medical information must be kept private
• Providers must use minimum necessary standard

What NOT to Do

• Don't authorize blanket releases: Avoid "all information" authorizations without limiting to specific records
• Don't use indefinite expiration dates: Set reasonable timeframes (typically 1-2 years)
• Don't rely on verbal permission: Must be in writing per HIPAA
• Don't share your authorization: Each disclosure requires separate authorization
• Don't ignore your copies: Keep copies of all authorizations for your records

Processing Timeline

Timeline	Typical
Simple requests	5-10 business days
Standard requests	10-30 business days
Complex records	30-60 business days
Emergency requests	1-2 business days (call provider directly)

Fees

Healthcare providers can charge reasonable fees for copying records:

• Typically $0.25-$1.00 per page for copies
• Actual postage costs
• Some providers waive fees for electronic copies
• Request fee estimate before authorizing release

FAQ

Q: How long is a HIPAA authorization valid? A: The authorization remains valid until the specified expiration date or event. You should update authorization every 1-2 years for ongoing needs.

Q: Can I revoke an authorization? A: Yes. Write to the healthcare provider and request revocation. It takes effect immediately for future disclosures, but doesn't affect past ones.

Q: What if the provider won't sign my authorization? A: They may require their own form or need clarification on the purpose. Ask what specific information they need modified.

Q: Who can sign for a minor's authorization? A: Parents or legal guardians can sign. Some states allow minors to authorize their own treatment at certain ages.

Q: Can I authorize someone to pick up my records? A: Yes, but the recipient may need to show ID and authorization. Include recipient's name and relationship on the form.

Q: Are electronic authorizations valid? A: Yes, if the provider accepts electronic signatures. Use DocuSign, Adobe Sign, or platform provided by the healthcare provider.

Q: What's the difference between authorization and consent? A: Consent is for treatment; authorization is for releasing information to third parties.