HIPAA Release Form Explained [+ Free Template, State Examples & Compliance Tips]
Anna Fitzgerald
Senior Content Marketing Manager
Cavan Leung
Senior Compliance Manager
If you work in healthcare, handle medical records, or visited a doctor's office, you’ve likely heard of a HIPAA release form—sometimes called a HIPAA authorization form or medical records release form. This legal document gives patients control over who can access or share their protected health information (PHI) for purposes not automatically permitted under the HIPAA Privacy Rule.
Under the HIPAA Privacy Rule, covered entities can use or disclose PHI without authorization for treatment, payment, and healthcare operations. But in other situations, such as sharing records with a third party, using PHI for marketing, or releasing sensitive test results, a HIPAA release form is required.
In this guide, we’ll explain exactly what a HIPAA release form is, when it’s needed, what it must include to be HIPAA compliant, and provide a free downloadable HIPAA release form template you can customize for your organization.
What is a HIPAA release form?
A HIPAA release form is a legal document signed by an individual to grant permission for their protected health information (PHI) to be used by authorized individuals at covered entities for specific purposes other than treatment, payment, and health care operations, or to be disclosed to specific individuals or entities.
This form may be referred to in other ways including:
- HIPAA medical release form
- HIPAA authorization form
- HIPAA consent form
- HIPAA release of information form
- HIPAA medical records release form
- HIPAA information release form
To better understand the HIPAA release form, you can download our illustrative HIPAA release form template, watch the quick explainer below, or keep reading for a detailed breakdown of HIPAA release form requirements.
HIPAA release form requirements
HIPAA has specific authorization requirements governing the content of a medical release form, including:
- Description of the information to be used and disclosed: A HIPAA release of information form must specify what specific information can be used and disclosed. It can be broad, allowing access to all medical records, or narrow, granting access only to specific information or for a limited period.
- The authorized person who can use or disclose the information: The form must specify who the person authorized to make the use or disclosure is.
- To whom it can be disclosed: A HIPAA compliant medical records release form must also specify the names of the individuals or entities to whom the authorized individual at the covered entity may disclose the information.
- Purpose of the disclosure: In some cases, the form must specify the purpose for which the information may be used or disclosed.
- Patient's signature: It is essential for the patient to voluntarily sign the HIPAA medical records release form. This means that they understand what information is being shared and with whom.
- Expiration Date: The HIPAA release form must contain an expiration date or event triggering the end of the authorization that relates to the individual or the purpose of the use or disclosure. This ensures that the permission granted is only valid for a specified period (unless effectively revoked in writing by the individual before that date or event).
- Revocation rights: The form should include statements advising patients of their right to revoke their authorization at any time, in writing. This means they can stop the sharing of their medical information by notifying the covered entity. Any exceptions to this right should be detailed.
Keep in mind that the specific requirements and processes for using HIPAA release forms may vary depending on state laws and the policies of healthcare providers and organizations.
HIPAA release form PDF
A well-crafted HIPAA release form helps ensure your organization meets HIPAA requirements and avoid costly compliance mistakes.
Our printable PDF provides a generic template of a HIPAA release form that meets the requirements above. You can easily customize it to reflect your organization’s policies, the type of PHI you handle, and any additional privacy safeguards you want to put in place. Using this template can help you save time while reducing compliance risk.
Free HIPAA release form template
Simplify the process of creating a HIPAA compliant release form with this free template. With it, you can save time, reduce risk, and more easily meet HIPAA’s authorization requirements.
When is a HIPAA release form required?
Covered entities are required to obtain patient authorization for uses and disclosures of protected health information for specific purposes, generally other than treatment, payment, and health care operations, or to disclose protected health information to a third party specified by the individual.
Healthcare providers, insurance companies, family members, and other individuals and organizations may need an individual to sign a HIPAA release of information form in order to access their medical records or discuss their health information.
For example, for a provider or health plan to engage in marketing to individuals, those individuals must have signed a HIPAA authorization form permitting the use or disclosure of their protected health information for marketing communications. (There are only two exceptions: one, if the communication occurs in a face-to-face encounter between the covered entity and the individual or two, if the communication involves a promotional gift of nominal value.)
Recommended reading
History of HIPAA: How the Standard Has Evolved Since 1996
When is a HIPAA release form not required?
Under the HIPAA Privacy Rule, covered entities are not required to obtain patient authorization for uses and disclosures of protected health information for treatment, payment, and health care operations.
For example, doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities can use or disclose PHI, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization.
However, covered entities may choose to voluntarily obtain patient consent for uses and disclosures of PHI for these reasons (ie. treatment, payment, and health care operations). While not required, this is permitted under the HIPAA Privacy Rule.
Recommended reading
PHI vs PII: Key Differences & How to Protect Both
Recommended reading
The Ultimate HIPAA Compliance Checklist for 2025 + Free PDF
How to create a HIPAA compliant medical records release form
You want to make it as simple as possible for patients to fill out a HIPAA release form. Follow the steps below to create a standard HIPAA release form that’s easy for patients to understand and fill out. We've included images of the New York HIPAA Release Form for reference.
You can also download our printable HIPAA release form template to get started.
1. Provide instructions
To start, provide instructions that will guide the patient through the process of filling out the form. You may include specific information about what to include on the form based on applicable state laws or the policies of your organization.
Here’s an example of language you might use: Please complete all sections of this HIPAA release form with accurate and up-to-date information. If any sections are inaccurate, out-of-date, or left blank, this form will be invalid and it will not be possible for your health information to be used or disclosed as requested.
Here’s an example from the NYC HIPAA release form:
2. Name the patient and individual authorized to use or disclose their PHI
Include a statement where the patient can permit the individual or covered entity authorized to use or disclose their PHI. You may leave the field for the patient name blank and require them to print their name.
Here’s an example of language you might use:
I,_____________________________________________, hereby authorize
[NAME OF INDIVIDUAL OR COVERED ENTITY] to share the information listed below with the person(s) or organization(s) I have specified in [SECTION NO.] in this document.
Here’s an example from the NYC HIPAA release form:
3. Describe the information
Next, specify the types of information you are requesting authorization to use or disclose. You can be specific (e.g., medical history, treatment records, laboratory results) or broad (e.g., all medical records). You may use checkboxes for this section to make it as easy and fast as possible for patients to fill out.
Here’s an example of language you might use:
I permit the above individual or covered entity to:
- Disclose my entire health record.
- Disclose my entire health record except for the following information [check any of the following]:
Mental health records or psychotherapy notes
Alcohol/drug treatment
HIV-related information
Here’s an example from the NYC HIPAA release form:
4. Specify recipients
Next, provide a section where the patient can identify the individuals or entities to whom they are permitting disclosures of their PHI. This could be healthcare providers, family members, insurance companies, or any other organization that needs access to their medical records.
Instruct patients to include their names and contact information.
Here’s an example of language you might use:
I give authorization for the health information detailed above in this document to be disclosed to the following individual(s) or organization(s)
Name: ________________________________________________________________
Organization: ________________________________________________________________
Address: ________________________________________________________________
Here’s an example from the NYC HIPAA release form:
5. Specify the purpose of disclosure
You may also provide a section prompting the patient to indicate the purpose for which the information will be used or disclosed. An example might be sharing information with a family member for caregiving purposes. Instruct the patient what to write if they do not wish to provide the purpose. You can also use checkboxes for this section.
Here’s an example of language you might use:
Purpose of request:
- At my request
- Dispute
- Referral
- Other (Specify): _____________
Here’s an example from the NYC HIPAA release form:
6. Specify the time period
Specify the time frame during which the authorization is valid. This can be a one-time release, a specific date range, or an ongoing authorization.
Here’s an example of language you might use:
This authorization to share my health information is valid from ___________________ to ___________________.
Here’s an example from the NYC HIPAA release form:
7. Detail their revocation rights
Include statements advising patients of their right to revoke their authorization at any time.
Here’s an example of language you might use:
I understand that I am permitted to revoke this authorization to share my health data at any time and can do so by submitting a request in writing to:
[NAME]
[ORGANIZATION]
[ADDRESS]
I understand that:
- In the event that my information has already been shared by the time my authorization is revoked, it may be too late to cancel permission to share my health data.
- I understand that I do not need to give any further permission for the information detailed in [SECTION NO.] to be shared with the person(s) or organization(s) listed in section
- I understand that the failure to sign/submit this authorization or the cancellation of this authorization will not prevent me from receiving any treatment or benefits I am entitled to receive, provided this information is not required to determine if I am eligible to receive those treatments or benefits or to pay for the services I receive.
Here’s an example from the NYC HIPAA release form:
8. Obtain the patient’s signature
Leave fields for the patient to sign and date the form. This indicates their informed and voluntary consent to release their PHI.
Here’s an example from the NYC HIPAA release form:
HIPAA release form examples
For a better understanding of HIPAA release forms, it can be helpful to review specific examples from various states. State-specific forms often include unique wording or requirements mandated by local laws. Reviewing these can offer insight into how different states structure their forms and provide ideas for tailoring your form to meet both HIPAA and local regulations. Here are some state-specific templates:
HIPAA release form New York
This HIPAA release form was created as a standard official form to be used to authorize the release of health information needed for litigation in New York State courts. It includes specific wording required under New York State Law, such as an emphasis on protecting patients' privacy when disclosing information relating to alcohol and drug abuse, mental health treatment, and confidential HIV-related information. Although it was created to be used for litigation, it can be used more broadly.
View the New York HIPAA release form here.
HIPAA release form Texas
Texas includes provisions in its HIPAA release form, created by the Attorney General of Texas, related to the state’s own privacy rules, including the Texas Medical Privacy Act. A unique feature in this HIPAA form is the direct language around electronic health records (EHR) and the use of PHI in electronic formats, making it highly relevant for telehealth and remote healthcare services. Texas healthcare organizations may also use specific language to address PHI disclosures for sale or marketing purposes.
View the Texas HIPAA release form.
HIPAA release form Florida
Florida Agency for Health Care Administration’s HIPAA release form is designed to ensure transparency in how PHI is shared, including information about HIV/AIDS, alcohol or drug treatment, and mental health treatment. Due to state requirements, Florida forms typically emphasize the patient’s right to revoke consent and may provide extra details on the process to make this change.
View the Florida HIPAA release form.
HIPAA release form California
The HIPAA release form created by the California Department of Health Care Services aligns with HIPAA regulations and the state privacy law, the California Consumer Privacy Act, making it more comprehensive than forms used in other states. For example, you may notice the additional sections on California’s form detailing the patient’s rights and exactly what the patient should expect by signing this authorization.
View the California HIPAA release form here.
HIPAA release form Illinois
Illinois’ HIPAA release form, overseen by the Illinois Department of Human Services, is more comprehensive and specific than other states—in part, because it must meet strict requirements for the state’s Mental Health and Developmental Disabilities Confidentiality Act. This includes specific language for releasing mental health records, developmental disability information, and alcohol or substance use/abuse, and HIV/AIDS records as well as detailed instructions for filling out the form. It also requires a witness signature for added verification.
View the Illinois HIPAA release form.
HIPAA release form New Jersey
New Jersey’s HIPAA release form reflects state laws that provide additional protections for substance abuse and HIV/AIDS-related information. The form includes clear instructions on limiting the scope of disclosure for these types of information, prompting them to explicitly identify what information may be disclosed in fill in the blank fields. NJ also requires futher authorization or written consent for redisclosure of this sensitive health information.
View the New Jersey HIPAA release form.
HIPAA release form Massachusetts
Massachusetts Department of Public Health’s HIPAA release form contains language aimed at addressing both general HIPAA guidelines and state-specific regulations for medical privacy and data protection, especially concerning information about HIV, genetic information, and alcohol or drug treatment records. Massachusetts places a strong emphasis on ensuring patients’ understanding of their data rights and opts for open questions rather than checkboxes when asking about the information they want to share and why.
View the Massachusetts HIPAA release form.
HIPAA release form Ohio
In 2019, the Ohio Department of Medicaid finalized its regulation (OAC 5160-1-32.1) which creates a standard authorization form for the release of medical records. This form is divided into two separate forms and addresses the consent requirements required by HIPAA and Part 2 Regulations. Form A allows the disclosure of protected health information by a covered entity as required by HIPAA. Form B allows the disclosure of substance use disorder information by a 42 CFR Part 2 federally-assisted provider.
View the Ohio HIPAA release form.
HIPAA release form Colorado
Colorado offers several HIPAA-related authorization forms in both English and Spanish, each tailored for specific disclosure situations. These include a:
- Personal Representative Form to allow a designated individual (often a family member or legal guardian) to communicate with the Department of Health Care Policy & Financing about a client’s PHI
- Third-Party Authorization Form for releasing PHI or claims data to outside entities like support services organizations or attorney
- Non-Attorney Authorization Form for use and disclosure of PHI during the appeal process.
View the Colorado HIPAA release forms.
HIPAA release form Georgia
Georgia’s HIPAA release form is distinct in that the purpose specified is to assist in emergency response activities and it therefore requires the patient to authorize the release of specified medical information to health care providers, emergency responders, and American Red Cross health services personnel.
View the Georgia HIPAA release form.
HIPAA release form Michigan
Michigan’s HIPAA release form, also known as MDCH-1183, is the authorization form used by the Michigan Department of Health and Human Services (MDHHS). It contains fewer check-the-box options than other states; instead, it provides instructions for each section and blank fields to fill in.
View the Michigan HIPAA release form.
HIPAA release form North Carolina
Like Michigan's, North Carolina’s HIPAA release form favors blank fields rather than checkboxes, but contains less explicit instructions for how to fill out the sections. It's also unique in that it includes a revocation and verbal revocation for the patient or a personal representative to fill out to revoke their authorization before the specified expiration date (or default one-year period).
View the North Carolina HIPAA release form.
HIPAA release form Tennessee
Tennessee’s HIPAA release form incorporates the state’s own privacy laws, particularly those governing mental health, substance abuse, and HIV/AIDS-related information. The form provides options for patients to authorize only partial disclosures and makes clear that patients can revoke consent at any time in writing.
View the Tennessee HIPAA release form.
HIPAA release form Arizona
There are various HIPAA release forms available online for different Arizona entities, including the Arizona Department of Economic Security, Arizona Health Care Cost Containment System, and Arizona General Hospital. The Department of Economic Security's version says it is not endorsed or approved by any official organization or entity, but provides a basic example of a HIPAA compliant form. This example is similar to Michigan's in that it opts for free-form answer boxes instead of checkboxes.
View the Arizona HIPAA release form.
HIPAA release form Pennsylvania
Pennsylvania’s HIPAA release form, used by the state's Department of Human Services, incorporates requirements from state statutes protecting drug and alcohol and HIV/AIDS information. A key feature is that it splits these "special categories of medical information" (Part B) into a separate section from "general information" (Part A). Part B contains strict consent language for redisclosure of this sensitive information, which must be signed separately from the general authorization.
Recommended reading
Why HIPAA Compliance Is Becoming More Challenging
Need help getting HIPAA compliant?
Using or disclosing protected health information (PHI) without a HIPAA authorization form can be a serious HIPAA violation — and this is just one example. Other common violations include failing to address security risks, downloading PHI onto unauthorized devices, and sending ePHI to a personal email account.
If you’re a covered entity (including healthcare providers, health plans, and healthcare clearinghouses) or a business associate that must comply with HIPAA regulations, Secureframe can help you verify and maintain your organization’s HIPAA compliance.
To streamline your annual HIPAA audits, keep you compliant, and protect you from potential HIPAA violation fines, Secureframe’s platform and team of HIPAA compliance experts help you:
- create HIPAA privacy and security policies
- train employees on how to protect PHI
- manage vendors and business associates, including Gmail
- implement and monitor safeguards to prevent unauthorized use or disclosure of PHI
- and more
For more information on how Secureframe can help you achieve and maintain HIPAA compliance, request a demo.
HIPAA Compliance Kit
This free HIPAA compliance kit includes key assets you’ll need to ensure compliance, including a HIPAA guidebook, customizable policy templates, a compliance checklist, and more.
FAQs
What is a HIPAA release form?
A HIPAA release form is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
Why are HIPAA release forms important?
HIPAA release forms are important tools for maintaining patient privacy while allowing for necessary sharing of medical information for treatment, payment, or other healthcare operations. In addition to ensuring that healthcare providers and organizations protect patients' sensitive health data, authorization forms are also important for complying with HIPAA and state privacy laws.
What happens if you violate HIPAA's authorization requirements?
HIPAA violations for authorizations as well as other issues can result in significant civil and criminal penalties, corrective action plans, and reputational harm. One way to reduce your risk is to ensure you have strong tracking and documentation processes in place, like maintaining a HIPAA audit log.
When is patient authorization required by the HIPAA Privacy Rule ?
Patient authorization is required to use or disclose PHI for a purpose not specifically required or permitted by the HIPAA Privacy Rule, which is generally other than treatment, payment, or health care operations.
Does a HIPAA release form need to be notarized?
The Privacy Rule does not require that a HIPAA release form be notarized. However, some states or healthcare providers may require it to validate the authenticity of the patient’s signature. Check the instructions or local regulations to determine if this is necessary.
What happens if I decline HIPAA authorization?
If you do not sign a HIPAA release form, then your PHI cannot be used or disclosed for the purpose or to the individuals or entities specified in that form.
How do I get a HIPAA release form?
To obtain a HIPAA release form, you can request one directly from your healthcare provider or their administrative office. Many healthcare organizations also provide digital versions of HIPAA release forms that you can fill out and submit online. Additionally, you may find downloadable templates from reputable organizations that comply with HIPAA requirements, though it’s important to verify any online source for accuracy.
How to fill out a HIPAA release form?
To fill out a HIPAA release form, carefully review each section and provide accurate, up-to-date information. Begin by specifying your name, the entity authorized to disclose information, and the individuals or entities you authorize to receive it. Indicate the specific information and purpose for which it will be disclosed, add an expiration date or event, and sign and date the form to confirm your consent. Following these steps ensures that your authorization is both clear and valid.
Does a HIPAA release form have to include an expiration date?
Yes, the HIPAA Privacy Rule requires that a release form contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, authorization may expire one year after the form is signed or if enrollment in the health plan is terminated.
What makes a medical release form compliant with HIPAA?
To be compliant with HIPAA, a medical release form must:
- specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed
- be signed by the patient or a legally authorized representative
- not be required for the patient to fill out in order to receive treatment or coverage (there are limited exceptions)
What's the difference between consent vs authorization under HIPAA?
Under the HIPAA Privacy Rule, patient consent is optional for covered entities to obtain to use or disclose protected health information (PHI) for treatment, payment, and healthcare operations. If covered entities decide to voluntarily obtain patient consent for these routine healthcare purposes, then they can use whatever form or process they want. On the other hand, patient authorization is required for any use or disclosure of PHI not otherwise permitted by the Privacy Rule, such as marketing or sharing with a third party. A valid medical release form must be used to obtain this authorization and must include specific elements, such as what PHI will be shared, who can share it, who will receive it, the purpose, and an expiration date.
In short: Under the HIPAA Privacy Rule, consent may be voluntarily obtained to cover the use and disclosure of PHI for treatment, payment, and healthcare operations whereas authorization must be obtained for all other uses or disclosures of PHI and must meet strict process requirements.
Reduce the complexity of HIPAA compliance
