HIPAA Release Forms: What They Are and Tips for Creating One + Template
The HIPAA Privacy Rule is a federal law that regulates the use and disclosure of protected health information (PHI). It’s designed to ensure that PHI is protected from unauthorized access, but can be shared to promote high-quality healthcare.
While covered entities may use or disclose PHI for treatment and other purposes without the patient’s authorization, there are specific purposes in which authorization is required under the HIPAA Privacy Rule. In those cases, they’ll need the patient to sign a HIPAA release form.
Let’s take a closer look at what that is and when it’s required below.
What is a HIPAA release form?
A HIPAA release form, also known as a HIPAA authorization or HIPAA consent form, is a legal document signed by an individual to grant permission for their protected health information (PHI) to be used by authorized individuals at covered entities for specific purposes other than treatment, payment, and health care operations, or to be disclosed to specific individuals or entities.
What is required on a HIPAA release form?
HIPAA has specific requirements for the content of a release form, including:
- Description of the information to be used and disclosed: The form must specify what specific information can be used and disclosed. It can be broad, allowing access to all medical records, or narrow, granting access only to specific information or for a limited period.
- The authorized person who can use or disclose the information: The form must specify who the person authorized to make the use or disclosure is.
- To whom it can be disclosed: A release form must also specify the names of the individuals or entities to whom the authorized individual at the covered entity may disclose the information.
- Purpose of the disclosure: In some cases, the form must specify the purpose for which the information may be used or disclosed.
- Patient's signature: It is essential for the patient to voluntarily sign the HIPAA release form. This means that they understand what information is being shared and with whom.
- Expiration Date: The release form must contain an expiration date or event triggering the end of the authorization that relates to the individual or the purpose of the use or disclosure. This ensures that the permission granted is only valid for a specified period (unless effectively revoked in writing by the individual before that date or event).
- Revocation rights: The form should include statements advising patients of their right to revoke their authorization at any time, in writing. This means they can stop the sharing of their medical information by notifying the covered entity. Any exceptions to this right should be detailed.
Keep in mind that the specific requirements and processes for using HIPAA release forms may vary depending on state laws and the policies of healthcare providers and organizations.
HIPAA release form PDF
Download this PDF to get a general template of a HIPAA release form. Customize it to match the specific requirements and language of your unique organization and policies.
Free HIPAA release form template
Simplify the process of creating a HIPAA release form with this free template.
When are HIPAA release forms required?
Covered entities are required to obtain patient authorization for uses and disclosures of protected health information for specific purposes, generally other than treatment, payment, and health care operations, or to disclose protected health information to a third party specified by the individual.
Healthcare providers, insurance companies, family members, and other individuals and organizations may need an individual to sign a HIPAA release form in order to access their medical records or discuss their health information.
For example, for a provider or health plan to engage in marketing to individuals, those individuals must have signed a release form permitting the use or disclosure of their protected health information for marketing communications. (There are only two exceptions: one, if the communication occurs in a face-to-face encounter between the covered entity and the individual or two, if the communication involves a promotional gift of nominal value.)
When are HIPAA release forms not required?
Under the HIPAA Privacy Rule, covered entities are permitted — but not required — to voluntarily obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations.
For example, doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities can use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization.
How do I fill out a HIPAA release form?
You want to make it as simple as possible for patients to fill out a HIPAA release form. Follow the steps below to create a basic HIPAA release form that’s easy for patients to understand and fill out. You can also download the template to get started.
1. Provide instructions
To start, provide instructions that will guide the patient through the process of filling out the form. You may include specific information about what to include on the form based on applicable state laws or the policies of your organization.
Here’s an example: Please complete all sections of this HIPAA release form with accurate and up-to-date information. If any sections are inaccurate, out-of-date, or left blank, this form will be invalid and it will not be possible for your health information to be used or disclosed as requested.
2. Name the patient and individual authorized to use or disclose their PHI
Include a statement where the patient can permit the individual or covered entity authorized to use or disclose their PHI. You may leave the field for the patient name blank and require them to print their name.
Here’s an example:
I,_____________________________________________, hereby authorize
[NAME OF INDIVIDUAL OR COVERED ENTITY] to share the information listed below with the person(s) or organization(s) I have specified in [SECTION NO.] in this document.
3. Describe the information
Next, specify the types of information you are requesting authorization to use or disclose. You can be specific (e.g., medical history, treatment records, laboratory results) or broad (e.g., all medical records). You may use checkboxes for this section to make it as easy and fast as possible for patients to fill out.
Here’s an example:
I permit the above individual or covered entity to:
- Disclose my entire health record.
- Disclose my entire health record except for the following information [check any of the following]:
Mental health records or psychotherapy notes
undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined
4. Specify recipients
Next, provide a section where the patient can identify the individuals or entities to whom they are permitting disclosures of their PHI. This could be healthcare providers, family members, insurance companies, or any other organization that needs access to their medical records.
Instruct patients to include their names and contact information.
Here’s an example:
I give authorization for the health information detailed above in this document to be disclosed to the following individual(s) or organization(s)
Name: ________________________________________________________________
Organization: ________________________________________________________________
Address: ________________________________________________________________
5. Specify the purpose of disclosure
You may also provide a section prompting the patient to indicate the purpose for which the information will be used or disclosed. An example might be sharing information with a family member for caregiving purposes. Instruct the patient what to write if they do not wish to provide the purpose. You can also use checkboxes for this section.
Here’s an example:
Purpose of request:
- At my request
- Dispute
- Referral
- Other (Specify): _____________
6. Specify the time period
Specify the time frame during which the authorization is valid. This can be a one-time release, a specific date range, or an ongoing authorization.
Here’s an example:
This authorization to share my health information is valid from ___________________ to ___________________.
7. Detail their revocation rights
Include statements advising patients of their right to revoke their authorization at any time.
Here’s an example:
I understand that I am permitted to revoke this authorization to share my health data at any
time and can do so by submitting a request in writing to:
[NAME]
[ORGANIZATION]
[ADDRESS]
I understand that:
- In the event that my information has already been shared by the time my authorization is revoked, it may be too late to cancel permission to share my health data.
- I understand that I do not need to give any further permission for the information detailed in [SECTION NO.] to be shared with the person(s) or organization(s) listed in section
- I understand that the failure to sign/submit this authorization or the cancellation of this authorization will not prevent me from receiving any treatment or benefits I am entitled to receive, provided this information is not required to determine if I am eligible to receive those treatments or benefits or to pay for the services I receive.
8. Obtain the patient’s signature
Leave fields for the patient to sign and date the form. This indicates their informed and voluntary consent to release their PHI.
HIPAA release form examples
For a better understanding of HIPAA release forms, it can be helpful to review specific examples from various states. State-specific forms often include unique wording or requirements mandated by local laws. Reviewing these can offer insight into how different states structure their forms and provide ideas for tailoring your form to meet both HIPAA and local regulations. Here are some state-specific templates:
HIPAA release form New York
This HIPAA release form was created as a standard official form to be used to authorize the release of health information needed for litigation in New York State courts. It includes specific wording required under New York State Law, such as an emphasis on protecting patients' privacy when disclosing information relating to alcohol and drug abuse, mental health treatment, and confidential HIV-related information. Although it was created to be used for litigation, it can be used more broadly.
View the New York HIPAA release form here.
HIPAA release form California
The HIPAA release form created by the California Department of Health Care Services aligns with HIPAA regulations and the state privacy law, the California Consumer Privacy Act, making it more comprehensive than forms used in other states. For example, you may notice the additional sections on California’s form detailing the patient’s rights and exactly what the patient should expect by signing this authorization.
View the California HIPAA release form here.
HIPAA release form Texas
Texas includes provisions in its HIPAA release form, created by the Attorney General of Texas, related to the state’s own privacy rules, including the Texas Medical Privacy Act. A unique feature in this HIPAA form is the direct language around electronic health records (EHR) and the use of PHI in electronic formats, making it highly relevant for telehealth and remote healthcare services. Texas healthcare organizations may also use specific language to address PHI disclosures for sale or marketing purposes.
View the Texas HIPAA release form.
HIPAA release form Florida
Florida Agency for Health Care Administration’s HIPAA release form is designed to ensure transparency in how PHI is shared, including information about HIV/AIDS, alcohol or drug treatment, and mental health treatment. Due to state requirements, Florida forms typically emphasize the patient’s right to revoke consent and may provide extra details on the process to make this change.
View the Florida HIPAA release form.
HIPAA release form Massachusetts
Massachusetts Department of Public Health’s HIPAA release form contains language aimed at addressing both general HIPAA guidelines and state-specific regulations for medical privacy and data protection, especially concerning information about HIV, genetic information, and alcohol or drug treatment records. Massachusetts places a strong emphasis on ensuring patients’ understanding of their data rights and opts for open questions rather than checkboxes when asking about the information they want to share and why.
Need help getting HIPAA compliant?
Using or disclosing protected health information (PHI) without a HIPAA authorization form can be a serious HIPAA violation — and this is just one example. Other common violations include failing to address security risks, downloading PHI onto unauthorized devices, and sending ePHI to a personal email account.
If you’re a covered entity (including healthcare providers, health plans, and healthcare clearinghouses) or a business associate that must comply with HIPAA regulations, Secureframe can help you verify and maintain your organization’s HIPAA compliance.
To streamline your annual HIPAA audits, keep you compliant, and protect you from potential HIPAA violation fines, Secureframe’s platform and team of HIPAA compliance experts help you:
- create HIPAA privacy and security policies
- train employees on how to protect PHI
- manage vendors and business associates
- monitor your PHI safeguards
- and more
For more information on how Secureframe can help you achieve and maintain HIPAA compliance, request a demo.
HIPAA Compliance Kit
This free HIPAA compliance kit includes key assets you’ll need to ensure compliance, including a HIPAA guidebook, customizable policy templates, a compliance checklist, and more.
FAQs
What is a HIPAA release form?
A HIPAA release form is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
Why are HIPAA release forms important?
HIPAA release forms are important tools for maintaining patient privacy while allowing for necessary sharing of medical information for treatment, payment, or other healthcare operations.
In addition to ensuring that healthcare providers and organizations protect patients' sensitive health data, authorization forms are also important for complying with HIPAA and state privacy laws.
When is patient authorization required by the HIPAA Privacy Rule ?
Patient authorization is required to use or disclose PHI for a purpose not specifically required or permitted by the HIPAA Privacy Rule, which is generally other than treatment, payment, or health care operations.
Does a HIPAA release form need to be notarized?
The Privacy Rule does not require that a HIPAA release form be notarized. However, some states or healthcare providers may require it to validate the authenticity of the patient’s signature. Check the instructions or local regulations to determine if this is necessary.
What happens if I decline HIPAA authorization?
If you do not sign a HIPAA release form, then your PHI cannot be used or disclosed for the purpose or to the individuals or entities specified in that form.
How do I get a HIPAA release form?
To obtain a HIPAA release form, you can request one directly from your healthcare provider or their administrative office. Many healthcare organizations also provide digital versions of HIPAA release forms that you can fill out and submit online. Additionally, you may find downloadable templates from reputable organizations that comply with HIPAA requirements, though it’s important to verify any online source for accuracy.
How to fill out a HIPAA release form?
To fill out a HIPAA release form, carefully review each section and provide accurate, up-to-date information. Begin by specifying your name, the entity authorized to disclose information, and the individuals or entities you authorize to receive it. Indicate the specific information and purpose for which it will be disclosed, add an expiration date or event, and sign and date the form to confirm your consent. Following these steps ensures that your authorization is both clear and valid.
Does a HIPAA release form have to include an expiration date?
Yes, the HIPAA Privacy Rule requires that a release form contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, authorization may expire one year after the form is signed or if enrollment in the health plan is terminated.
Reduce the complexity of HIPAA compliance
Request a demo
