A medical records release authorization form is a document that allows a person to disclose protected health information to a third party. A patient can also request their medical records not currently in their possession.
The document, also known as a “Health Insurance Portability and Accountability Act (HIPAA)” form, must satisfy the requirements listed under the 1996 Federal HIPAA Privacy Rule. If it does not adhere to the standards, the patient cannot use it to give or receive permission to release their medical records.
Protected health information – such as test results, diagnoses, medical histories, and other personally identifiable information – is confidential under the HIPAA Privacy Rule. The rule states that all covered entities (i.e., hospitals) must take every step necessary to keep a patient’s medical information private.
However, in some cases, a patient may wish to release this information to another entity or obtain it for personal use. The HIPAA release form (sometimes called “authorization”) explicitly states the content and manner in which medical facilities share health information.
To fill out a HIPAA release form, a patient must choose the appropriate document. The form must allow them to request their personal health information (PHI) or grant a third party permission to release it. Depending on the form’s purpose, the individual can select a state-specific document or complete a generic template.
Each medical release document has fields that allow the person to explain the reason(s) for completing it. To ensure they have filled out the HIPAA release form correctly, they must enter the necessary information in the blanks provided and check the appropriate boxes. Once written, the sender must submit it to the required third party or entity by mail, fax, or email.
When filling out a HIPAA authorization form, include the following:
While there is no standard or universal form, the form must be HIPAA-compliant, meaning it meets all requirements to be considered legal and binding. Therefore, all HIPAA release forms must:
The HIPAA minimum necessary rule grants a recipient permission to distribute PHI only as requested by the patient. In other words, the entity can only view or send records authorized in a signed medical release form. The following example further explains the HIPAA minimum necessary rule:
Sally breaks her arm and visits a hospital to receive X-Ray scans. She authorizes the hospital to send her primary care physician a copy of the scans once available. Under HIPAA law, the hospital can only send the physician her X-Ray scans. The office staff cannot view or send any other PHI filed under Sally’s name.
An individual completes a medical release form to give consent to a hospital, doctor, or other facilities so they can release the patient’s PHI to the individual or a third party. The document has great importance in the medical world since it has many purposes. Doctors can use it to determine a patient’s treatment, while insurance companies use it when billing individuals. The HIPAA Privacy Rule reassures the general public that unwanted parties do not access their medical files. At the same time, the release form ensures that the right people obtain, discuss, or review the patient’s information.
There are a variety of scenarios when HIPAA authorization is necessary. The following examples are common uses for a medical release form.
Each situation necessitates a HIPAA release form from the patient. Without a medical information release form, the patient and third party cannot send or receive the protected health information (PHI).
No, a spouse cannot sign a HIPAA release form. According to HIPAA Privacy Rule 45 (§ CFR 164.510), a spouse, family member, or friend cannot sign a HIPAA release form for a patient. Instead, patients must complete and sign the HIPAA form on their own.
HIPAA Privacy Rule 45 exists to protect individuals from unwanted breaches in privacy. As a result, family members, including spouses, are blocked from retrieving their loved one’s medical information. There are no exceptions to this law. For example, if the patient becomes incapacitated and cannot sign a HIPAA release form, it does not give spouses or relatives the ability to access the health records.
However, the law allows spouses or family members to access the patient’s PHI if they have previously given them written authority. In other words, the individual must complete a document (such as a medical power of attorney) that assigns a loved one as their personal representative. The family member must present the signed form to the third party to complete or sign a medical information release.
Choosing the best type of HIPAA form is important to authorize an individual, medical professional, billing office, or insurance representative to release or view medical records. Patients should consider the recipient and the information required when selecting a template.
The following list contains questions and answers for medical records release authorization forms. If the index does not include a specific topic or subject, reference local law to ensure that the HIPAA release form complies with the state’s requirements.
A HIPAA release form is a document that makes it possible for a person to obtain their own medical records or allow an entity to give the information to a third party. The purpose of a medical records release authorization is to provide the patient or third party with the PHI when treating the individual, determining payment, or handling other day-to-day billing operations.
In some situations, the doctor or hospital requires that the patient complete a HIPAA authorization form that they only provide. For example, office staff can mandate that patients fill out a specific document to obtain their surgery procedure notes. However, in cases where the individual needs to create a generic HIPAA release document, they can download and print a template from online sources. Regardless of the format, the authorization often requires specific information to ensure that the person writing it requests or grants the desired permissions.
A HIPAA release form is good until it reaches the expiration date set by the person who created the document. Setting a termination date prevents third parties or entities from accessing the information for a prolonged period. If the principal does not include an end date, it lasts indefinitely or until the individual completes a revocation form. Revoking the document means that the principal takes away the ability for another party to view, discuss, or release their PHI.
HIPAA release forms generally do not require signatures from Notary Publics. However, laws vary by state and medical facilities, so it is critical to reference local notarization requirements. The state often requires the individual granting authority to sign the medical release form. In some cases, a document requires a witness’ signature. Most commonly, a witness signs when an individual requests the release of PHI, such as HIV/AIDS, psychiatry or behavioral health, sexually transmitted diseases, or drug and alcohol abuse.
States can follow HIPAA laws or create their own rules for patient information. According to HIPAA, providers have thirty (30) days from a patient’s request to provide them with PHI. Certain states abide by this law; however, others have modified the amount of time required.
The table below lists the number of days the provider has after the “request date” to issue the patient their medical records. The abbreviation “N/A” represents states that do not have release statutes or use language such as “within a reasonable time frame.”
Hospitals: 10 days for discharged patients; 24 hours for inpatients.
Covered Entities: 30 days.
Covered Entities: 30 days.
Physicians: 10 working days.
Hospital: 10 days.
By default, an individual’s protected health information remains private from those not directly involved in their medical care or treatment, including spouses and family members. An individual who releases their PHI does so at their discretion. When situations require the release of medical records, begin by compiling the necessary information and researching the state or medical facility’s policies. As long as HIPAA authorization forms are compliant with HIPAA’s rules, a person may use a template or generic document.