Authorize your doctor to share medical information: HIPAA Authorization Form

What is a HIPAA Authorization Form?
A HIPAA Authorization Form allows you to provide others access to your protected medical records, most often to other doctors or care providers. However, HIPAA Authorization Forms can also be used to release your medical information to a specific person.
That health information could include medical records, drug or alcohol treatment, or anything of a similar nature. Also known as a HIPAA Release Form, this document names a patient, a covered entity, and a person or group that will receive the health information. It also specifies whether all health information can be shared or only information from a certain period of time. The form includes a specific end date, since federal law requires that these forms eventually expire.
Get started on your own HIPAA Authorization Form now – with Rocket Lawyer, it’s as simple as answering a few questions. We will build the document for you!
When to use a HIPAA Authorization Form:
- You want your medical information to be released from one care provider to another.
- You want to control what medical information is to be shared.
- You want to limit how long a certain party can access specific medical information.
- You need to provide this document to your patients or medical clients.
Sample HIPAA Authorization Form
The terms in your document will update based on the information you provide
HIPAA AUTHORIZATION FORM
I, , hereby authorize the use or disclosure of my protected health information as described below:
. AUTHORIZED PERSONS TO USE AND DISCLOSE PROTECTED HEALTH INFORMATION
is authorized to disclose the following protected health information to of , .
. DESCRIPTION OF INFORMATION TO BE DISCLOSED
The health information that may be disclosed is:
Medical records
. PURPOSE OF THE USE OR DISCLOSURE
The purpose of this use or disclosure is .
. VALIDITY OF AUTHORIZATION FORM
This Authorization Form is valid beginning on and expires
. ACKNOWLEDGMENT
I understand that the information used or disclosed under this Authorization Form may be subject to re-disclosure by the person(s) or facility receiving it and would then no longer be protected by federal privacy regulations.
I have the right to refuse to sign this Authorization Form. If signed, I have the right to revoke this authorization, in writing, at any time. I understand that any action already taken in reliance on this authorization cannot be reversed, and my revocation will not affect those actions.
By: | Date: |
HIPAA Authorization Form FAQs
-
What is included in a HIPAA Authorization Form?
In this case, it is not a matter of what is most often included, but rather what must be included. Releases may be found non-compliant if not completed correctly, potentially causing problems for patients and medical providers. While you should consult a lawyer about the specifics of your HIPAA Release Form, you'll want to include at least the following:
- The name of the person or entity allowed to disclose medical information.
- The name of the person or medical group who may receive the information.
- A specific description of the information to be (or not to be) shared.
- The reason the information needs to be shared, or simply the statement “at the request of the individual.”
- The period during which the authorization is valid.
- Statements about the patient's right to revoke the authorization.
- Signatures and the date of signing.
More detailed information can also be included, such as specific names of those allowed to receive medical information and exact details on what can be disclosed.
-
When can a doctor disclose my medical information?
In most cases, your information can be shared with other providers to facilitate treatment or with payers (such as your health insurance company). If your medical provider asks you to sign a release, you'll want to carefully review the details of the HIPAA Authorization Form before signing. Often, releases are written broadly, naming an entire company or group of people rather than specific individuals. This helps the medical provider stay in compliance more easily.
-
What is considered protected health information?
Protected health information is any information created or received by care providers, health plans, life insurance companies, public health authorities, employers, educational institutions, or healthcare clearinghouses in any form, including oral or electronic. This includes past, current, and future physical or mental health data and personally identifying information. As with most legal topics, there are exceptions. For example, you may consent to allow research groups to use your information, such as gender, age, or demographics, with the agreement that they do not reveal identifiable information such as birth date, contact details, or biometric identifiers.
-
How do I report a HIPAA violation?
If you need to report that a covered entity violated your patient privacy by sharing health information, you can file a complaint with the Office for Civil Rights (OCR). You may also file a complaint on behalf of your organization or another person. “Covered entities” include health plan providers, healthcare clearinghouses, and healthcare providers who conduct a portion of their business electronically using a HIPAA-covered transaction.
-
What is the difference between consent and authorization?
Basically, consent is not required, while authorization is required. Consent is not needed for the sharing of information for treatment or payment per the HIPAA Privacy Rule. Authorization is needed to disclose information not permitted under the Privacy Rule. For example, authorization is required for sharing information with marketers or researchers. The HIPAA Privacy Rule is designed to protect medical and other types of personal health information. It also gives patients the right to obtain copies of their own health information.
If you work as a healthcare provider and need to report an internal violation, your organization will most often have procedures for handling complaints. Usually, an internal investigation is conducted first to determine whether the reported violation is valid and reportable under the HIPAA Breach Notification Rule. Employees or care providers can also file complaints directly with the OCR. Notifications should be sent without delay, usually within 60 days.
-
What if I want to provide a family member or friend access to my health information?
While you can release specific information to an individual, in most cases, you'll want to use a different type of form (and not a HIPAA Authorization Form) to provide ongoing legal rights. For example, you may want your babysitter to have the right to consent to care for your child, or you may want to make an Advance Directive to carry out your end-of-life wishes.
Here are some other related legal documents:
- Advance Directive: This document allows you to define your healthcare wishes should you become incapacitated. It can include what kind of care you consent to, such as limitations on long-term artificial life support. If you are a donor, it defines the restrictions on how you want your tissues or organs to be used.
- Medical Records Request: This form helps you request your records from providers if you are moving or changing providers.
- Medical Authorization for Minors: This form allows you to provide temporary and limited consent to a care provider for your child. This authorization helps ensure your child receives medical attention if you are not available.

Our quality guarantee
We guarantee our service is safe and secure, and that properly executed Rocket Lawyer legal documents are legally enforceable under applicable US laws.
Need help? No problem!
Ask a question for free or get affordable legal advice when you connect with a Rocket Lawyer network attorney.