HIPAA Authorization to Release Medical Information

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires doctors and health plans to obtain written authorization from patients to share information in their medical records for purposes unrelated to treatment, payment or routine health care operations. The authorization form can originate from the hospital or health plan or it can come from the organization seeking the data, such as a researcher, an employer, a marketing firm or an insurance company. A valid form must include several core elements.

For all disclosures of protected health information, which may include a patient’s name and health status, HIPAA requires hospitals and health plans to disclose only the minimum amount of information necessary for its intended purpose. Rather than a general request to disclose a patient’s entire medical record, a valid HIPAA authorization form must include a detailed description of specific information in the patient's medical record the hospital or health plan may disclose.

The authorization form needs to state the name of the individual or that of a personal representative authorized to make the requested disclosure.

The authorization must state the name or identity of the recipient of the information or the name of the person who can use the information. Hospitals and health plans may disclose information to the named recipients upon receiving a fax or a photocopy of a valid authorization.

The form must include a description of each purpose for the information requested. For example, researchers must include a study-specific statement of purpose. They can’t submit a statement that involves future unspecified research. When patients request disclosure of information in their medical file without giving a reason, the authorization form can state “at the request of the individual,” according to U.S. Department of Health & Human Services, or HHS, guidelines on patient-initiated authorizations.

A valid HIPAA authorization to release medical information must include an expiration date or an expiration event. Researchers can write the terms "end of the research study" or "none" as an expiration event on an authorization form requesting the patient information for a health study or to create and maintain a research database, HHS advises.

Additionally, the individual’s signature or that of a person authorized to make health care decisions on his behalf, along with the date must appear on a valid authorization form. The regulation doesn’t require a witness to the authorization or a notarized form, according to HHS.

Individuals have the right to revoke an authorization at any time. The authorization form must state this right and specify the process for revocation, which takes effect when the hospital or health plan receives a written request from the individual.