The HIPAA Authorization Form to Release Medical Records

A HIPAA authorization form to release medical records must be obtained from a patient or their personal representative before any Protected Health Information (PHI) is shared with a third party for a purpose not permitted by the Privacy Rule. ย In addition, it is important the HIPAA authorization form to release medical records complies with the mandated criteria in order to be considered valid.

The Privacy Rule permits covered entities to use and disclose PHI for treatment, payment, and healthcare operations. In addition, PHI can also be disclosed permissibly for disclosures required by law, to support public health activities, or to report abuse, neglect, or domestic violence. When disclosing PHI for any other purpose permitted by ยง164.512, disclosures of PHI must be kept to the minimum necessary to achieve the purpose of the disclosure.

When a HIPAA Authorization Form to Release Medical Records is Necessary

In all other scenarios, patients must be given the opportunity to agree or object to a disclosure (if the scenario is covered in ยง164.510) or must be asked to sign a valid HIPAA authorization form to release medical records. The scenarios in which a valid HIPAA authorization form is required are listed in ยง164.508 and include:

  • Prior to disclosing PHI for marketing purposes
  • Prior to disclosing PHI for fundraising purposes
  • Prior to disclosing PHI to a research organization
  • Prior to disclosing PHI in psychotherapy notes.
  • Prior to disclosing PHI to an insurance underwriter.
  • Prior to disclosing PHI for any type of remuneration.

This is not an exhaustive list. Recent changes to 42 CFR Part 2 mean it is now necessary to obtain a valid authorization before disclosing Substance Use Disorder records, while proposed changes to the Privacy Rule may soon make it necessary to obtain authorization prior to disclosing reproductive health information. In addition, in some states it is necessary to obtain a HIPAA authorization form to release medical records relating to HIV test results.

The Criteria for a HIPAA Authorization Form to be Valid

In order to be valid, a HIPAA authorization form to release medical records must include a description of the PHI that will be used or disclosed, the purpose for which the information is being used or disclosed, and the name(s) of the individual(s) and/or organization(s) to whom the information is being disclosed. The HIPAA authorization form should also include an expiry date or event (i.e., end of research project) from when the authorization will no longer be valid.

It is also necessary for a HIPAA authorization form to release medical records to include a statement advising a patient that, once PHI has been disclosed in accordance with the authorization, it may no longer be protected by the Privacy Rule, it may be further disclosed by the recipient, and that โ€“ if disclosed by the recipient – the covered entity may have no control over subsequent uses and disclosures of their PHI.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The patient also has to be advised of their right to revoke an authorization (subject to specified exceptions), the process for exercising the right, and that a covered entity cannot condition treatment, payment, enrollment in a health plan, or eligibility for benefits on the authorization (unless an exception applies in ยง164.508(b)(4)). Finally, the form must be signed and dated by the patient or their personal representative.

Why Workforce HIPAA Training on Authorized Disclosures is Important

Workforce HIPAA training on all types of disclosures is important so that workforce members understand when they can โ€“ and when they cannot โ€“ use or disclose PHI. However, specific workforce HIPAA training on authorized disclosures is important, not only because of educating members of the workforce on when an authorization is necessary, but also because of ensuring members of the workforce understand the criteria for a HIPAA authorization form to be valid.

Healthcare providers who are concerned their HIPAA authorization forms may not meet the criteria to be valid, or who need assistance in training members of the workforce on when to complete an authorization form for the release of medical records should seek professional HIPAA compliance advice.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/