The HIPAA Privacy Rule is a federal law that regulates the use and disclosure of protected health information (PHI). It’s designed to ensure that PHI is protected from unauthorized access, but can be shared to promote high-quality healthcare.

While covered entities may use or disclose PHI for treatment and other purposes without the patient’s authorization, there are specific purposes in which authorization is required under the HIPAA Privacy Rule. In those cases, they’ll need the patient to sign a HIPAA release form.

Let’s take a closer look at what that is and when it’s required below.

What is a HIPAA release form?

A HIPAA release form, also known as a HIPAA authorization or HIPAA consent form, is a legal document signed by an individual to grant permission for their protected health information (PHI) to be used by authorized individuals at covered entities for specific purposes other than treatment, payment, and health care operations, or to be disclosed to specific individuals or entities.

When are HIPAA release forms required?

Covered entities are required to obtain patient authorization for uses and disclosures of protected health information for specific purposes, generally other than treatment, payment, and health care operations, or to disclose protected health information to a third party specified by the individual.

Healthcare providers, insurance companies, family members, and other individuals and organizations may need an individual to sign a HIPAA release form in order to access their medical records or discuss their health information.

For examp​​le, for a provider or health plan to engage in marketing to individuals, those individuals must have signed a release form permitting the use or disclosure of their protected health information for marketing communications. (There are only two exceptions: one, if the communication occurs in a face-to-face encounter between the covered entity and the individual or two, if the communication involves a promotional gift of nominal value.)

When are HIPAA release forms not required?

Under the HIPAA Privacy Rule, covered entities are permitted — but not required — to voluntarily obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. 

For example, doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities can use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization.

What is required on a HIPAA release form?

HIPAA has specific requirements for the content of a release form, including:

• Description of the information to be used and disclosed: The form must specify what specific information can be used and disclosed. It can be broad, allowing access to all medical records, or narrow, granting access only to specific information or for a limited period.
• The authorized person who can use or disclose the information: The form must specify who the person authorized to make the use or disclosure is.
• To whom it can be disclosed: A release form must also specify the names of the individuals or entities to whom the authorized individual at the covered entity may disclose the information.
• Purpose of the disclosure: In some cases, the form must specify the purpose for which the information may be used or disclosed.
• Patient's signature: It is essential for the patient to voluntarily sign the HIPAA release form. This means that they understand what information is being shared and with whom.
• Expiration Date: The release form must contain an expiration date or event triggering the end of the authorization that relates to the individual or the purpose of the use or disclosure. This ensures that the permission granted is only valid for a specified period (unless effectively revoked in writing by the individual before that date or event).
• Revocation rights: The form should include statements advising patients of their right to revoke their authorization at any time, in writing. This means they can stop the sharing of their medical information by notifying the covered entity. Any exceptions to this right should be detailed. 

Keep in mind that the specific requirements and processes for using HIPAA release forms may vary depending on state laws and the policies of healthcare providers and organizations.

How do I fill out a HIPAA release form?

You want to make it as simple as possible for patients to fill out a HIPAA release form. Follow the steps below to create a basic HIPAA release form that’s easy for patients to understand and fill out. You can also download the template to get started. 

1. Provide instructions

To start, provide instructions that will guide the patient through the process of filling out the form. You may include specific information about what to include on the form based on applicable state laws or the policies of your organization.

Here’s an example: Please complete all sections of this HIPAA release form with accurate and up-to-date information. If any sections are inaccurate, out-of-date, or left blank, this form will be invalid and it will not be possible for your health information to be used or disclosed as requested. 

2. Name the patient and individual authorized to use or disclose their PHI

Include a statement where the patient can permit the individual or covered entity authorized to use or disclose their PHI. You may leave the field for the patient name blank and require them to print their name. 

Here’s an example:

I,_____________________________________________, hereby authorize

[NAME OF INDIVIDUAL OR COVERED ENTITY] to share the information listed below with the person(s) or organization(s) I have specified in [SECTION NO.] in this document.

3. Describe the information

Next, specify the types of information you are requesting authorization to use or disclose. You can be specific (e.g., medical history, treatment records, laboratory results) or broad (e.g., all medical records). You may use checkboxes for this section to make it as easy and fast as possible for patients to fill out. 

Here’s an example:
I permit the above individual or covered entity to: 

• Disclose my entire health record.
• Disclose my entire health record except for the following information [check any of the following]:
  Mental health records or psychotherapy notes
  undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined

4. Specify recipients

Next, provide a section where the patient can identify the individuals or entities to whom they are permitting disclosures of their PHI. This could be healthcare providers, family members, insurance companies, or any other organization that needs access to their medical records. 

Instruct patients to include their names and contact information.

Here’s an example:

I give authorization for the health information detailed above in this document to be disclosed to the following individual(s) or organization(s)

Name: ________________________________________________________________

Organization: ________________________________________________________________

Address: ________________________________________________________________

5. Specify the purpose of disclosure

You may also provide a section prompting the patient to indicate the purpose for which the information will be used or disclosed. An example might be sharing information with a family member for caregiving purposes. Instruct the patient what to write if they do not wish to provide the purpose. You can also use checkboxes for this section. 

Here’s an example:

Purpose of request: 

• At my request
• Dispute
• Referral
• Other (Specify): _____________

6. Specify the time period

Specify the time frame during which the authorization is valid. This can be a one-time release, a specific date range, or an ongoing authorization. 

Here’s an example:

This authorization to share my health information is valid from ___________________ to ___________________.

7. Detail their revocation rights

Include statements advising patients of their right to revoke their authorization at any time.

Here’s an example:

I understand that I am permitted to revoke this authorization to share my health data at any

time and can do so by submitting a request in writing to:

[NAME]

[ORGANIZATION]

[ADDRESS]

I understand that:

• In the event that my information has already been shared by the time my authorization is revoked, it may be too late to cancel permission to share my health data.
• I understand that I do not need to give any further permission for the information detailed in [SECTION NO.] to be shared with the person(s) or organization(s) listed in section
• I understand that the failure to sign/submit this authorization or the cancellation of this authorization will not prevent me from receiving any treatment or benefits I am entitled to receive, provided this information is not required to determine if I am eligible to receive those treatments or benefits or to pay for the services I receive. 

8. Obtain the patient’s signature

Leave fields for the patient to sign and date the form. This indicates their informed and voluntary consent to release their PHI. 

HIPAA release form PDF

Download this PDF to get a general template of a HIPAA release form. Customize it to match the specific requirements and language of your unique organization and policies. 

Need help getting HIPAA compliant?

To verify and maintain your organization’s HIPAA compliance, consider using security and compliance software like Secureframe. Secureframe’s platform and team of HIPAA compliance experts can help streamline your annual HIPAA audits, keep you compliant, and protect you from potential HIPAA violation fines.

For more information on how Secureframe can help you achieve and maintain HIPAA compliance, request a demo.