DocDraft Logo

HIPAA Authorization: What You Need to Know to Protect Your Medical Privacy

Learn about HIPAA Authorization forms, why they matter for your healthcare privacy, and how to use them effectively regardless of your family or financial situation.

Introduction

A HIPAA Authorization is a legal document that gives healthcare providers permission to share your protected health information with specific people or organizations. Unlike the basic HIPAA privacy notices you routinely sign at doctor's offices, a HIPAA Authorization provides you with control over who can access your medical information beyond your direct healthcare providers. Whether you're married with children, single, or have significant assets to protect, understanding how to use HIPAA Authorizations effectively is crucial for maintaining privacy while ensuring your loved ones can help during medical emergencies.

Key Things to Know

  1. 1

    HIPAA Authorizations are revocable at any time—you can change your mind about who has access to your information.

  2. 2

    Without a HIPAA Authorization, healthcare providers may be legally prohibited from sharing your medical information, even with close family members.

  3. 3

    Consider updating your HIPAA Authorization after major life events such as marriage, divorce, or when children reach adulthood.

  4. 4

    Be specific about what information can be shared—you can exclude sensitive information like mental health records or genetic testing if desired.

  5. 5

    Keep copies of your signed HIPAA Authorization with your other important documents and provide copies to your designated representatives.

  6. 6

    A HIPAA Authorization works best when paired with other healthcare documents like an advance directive and healthcare power of attorney.

  7. 7

    Different healthcare systems may have their own HIPAA Authorization forms, so you may need to complete multiple forms for different providers.

Key Decisions

Single individuals without children

High net worth individuals

Married individuals with children

Customize your HIPAA Authorization Template with DocDraft

AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA)

I. PATIENT INFORMATION

Full Legal Name: ______________________________________
Date of Birth: //________
Address: ____________________________________________
City, State, Zip: ______________________________________
Phone Number: (___) -
Email Address: _______________________________________
Medical Record Number: ______________________________
Other Identifier (if applicable): _________________________

II. AUTHORIZATION

I hereby authorize the use and/or disclosure of my protected health information as described below. I understand that this authorization is voluntary and that I may refuse to sign it. I further understand that my treatment, payment, enrollment in a health plan, or eligibility for benefits will not be conditioned upon my providing this authorization except in limited circumstances as permitted by law.

III. AUTHORIZED RECIPIENTS

I authorize the following person(s) and/or organization(s) to receive my protected health information:

Recipient 1:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 2:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 3:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

IV. PURPOSE OF DISCLOSURE

The protected health information is being disclosed for the following purpose(s): (Check all that apply)

□ At the request of the patient or personal representative
□ Continuity of medical care
□ Insurance/benefits eligibility or claims
□ Legal proceedings or representation
□ Disability determination
□ Workers' compensation
□ Personal records/use
□ Other (specify): _______________________________________

V. INFORMATION TO BE DISCLOSED

A. Scope of Information
(Check all that apply)

□ Complete medical record
□ Hospital/inpatient records
□ Outpatient/clinic records
□ Emergency department records
□ Laboratory results
□ Radiology/imaging reports
□ Pathology reports
□ Consultation reports
□ Progress notes
□ Physician orders
□ Nursing notes
□ Medication records
□ Immunization records
□ Billing and payment records
□ Other (specify): _______________________________________

B. Date Range of Records
(Check one)

□ All records regardless of date
□ Records from //______ to //______
□ Records created up to and including the date of this authorization
□ Records created after the date of this authorization until its expiration
□ Other (specify): _______________________________________

C. Sensitive Information
I understand that certain types of sensitive health information require specific authorization for disclosure. By initialing below, I specifically authorize the disclosure of the following types of sensitive information (if such information exists in my records) for the time period specified above:

_____ Mental health treatment information (excluding psychotherapy notes)
_____ Substance use disorder diagnosis, treatment, or referral information
_____ HIV/AIDS testing, diagnosis, or treatment information
_____ Sexually transmitted disease information
_____ Genetic testing/information
_____ Reproductive health information (including abortion records)
_____ Domestic/sexual violence information

Note regarding Psychotherapy Notes: This authorization DOES NOT include permission to release psychotherapy notes. Under HIPAA, psychotherapy notes are defined as notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session that are kept separate from the rest of the medical record. Release of psychotherapy notes requires a separate authorization form.

VI. TIME LIMITATIONS AND EXPIRATION

This authorization will remain in effect: (Check one)

□ From the date of this authorization until: //______
□ Until the following event occurs: _________________________
□ For one (1) year from the date of signature below
□ Until the purpose of the disclosure is fulfilled
□ Other (specify): _______________________________________

VII. YOUR RIGHTS REGARDING THIS AUTHORIZATION

A. Right to Revoke: I understand that I have the right to revoke this authorization, in writing, at any time by sending written notification to:

I understand that my revocation will not be effective to the extent that action has already been taken in reliance on this authorization, or if this authorization was obtained as a condition of obtaining insurance coverage and the law provides the insurer with the right to contest a claim under the policy or to contest the policy itself.

B. Right to Inspect or Copy: I understand that I have the right to inspect or copy the protected health information that may be used or disclosed pursuant to this authorization, as provided in the HIPAA Privacy Rule.

C. Right to Receive Copy: I understand that I have the right to receive a copy of this signed authorization.

VIII. REDISCLOSURE NOTICE

I understand that information disclosed pursuant to this authorization may be subject to redisclosure by the recipient(s) and may no longer be protected by federal or state privacy laws, including HIPAA. The healthcare provider, its employees, officers, and physicians are hereby released from any legal responsibility or liability for disclosure of the above information to the extent indicated and authorized herein.

IX. TREATMENT, PAYMENT, ENROLLMENT, OR ELIGIBILITY FOR BENEFITS

I understand that Name of Healthcare Provider/Organization _________________ may not condition my treatment, payment, enrollment in a health plan, or eligibility for benefits on whether I sign this authorization, except:

  1. If the authorization is for research-related treatment, in which case treatment may be conditioned on my signing this form;
  2. If the purpose of the authorization is to determine my eligibility for enrollment or underwriting; or
  3. If the authorization is solely for the purpose of creating protected health information for disclosure to a third party (such as pre-employment physicals or life insurance examinations).

X. POTENTIAL FOR FINANCIAL GAIN

□ I understand that Name of Healthcare Provider/Organization _________________ □ will □ will not receive direct or indirect compensation or remuneration from a third party in exchange for using or disclosing my health information.

XI. SPECIAL PROVISIONS

A. Substance Use Disorder Records (42 CFR Part 2 Compliance):
If this authorization includes the release of information related to substance use disorder diagnosis, treatment, or referral, I understand that such information is protected by federal confidentiality rules (42 CFR Part 2). These rules prohibit recipients from making any further disclosure of substance use disorder information unless further disclosure is expressly permitted by my written authorization or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any substance use disorder patient.

B. Research-Related Disclosures (if applicable):
□ This authorization is for research purposes. I understand the following:

  • Description of the research: _________________________
  • Potential risks and benefits: _________________________
  • My right to refuse participation without affecting my care: _________________________

C. Marketing-Related Disclosures (if applicable):
□ This authorization is for marketing purposes. I understand the following:

  • Description of marketing activity: _________________________
  • Whether the provider will receive financial remuneration: □ Yes □ No
  • My right to revoke specifically for this purpose: _________________________

XII. STATE LAW COMPLIANCE

I understand that my health information may be protected by state laws that provide more stringent protections than federal law. This authorization is intended to comply with all applicable state laws, including but not limited to laws regarding mental health, developmental disabilities, substance use disorders, communicable diseases, genetic information, and reproductive health.

XIII. PERSONAL REPRESENTATIVE INFORMATION (if applicable)

If this authorization is being signed by a personal representative of the patient:

Name of Personal Representative: _________________________
Relationship to Patient: _________________________________
Legal Authority: □ Parent of Minor □ Legal Guardian □ Power of Attorney for Healthcare □ Other (specify): _________________________

Documentation: I have attached the following documentation of my authority to act for the patient (check all that apply): □ Court Order □ Power of Attorney □ Guardianship Papers □ Other: _________________________

XIV. MINOR PATIENT PROVISIONS (if applicable)

For patients under 18 years of age:

A. Parental/Guardian Authorization:
I affirm that I am the parent or legal guardian of the minor patient named above and have legal authority to make healthcare decisions for this minor patient.

B. Special Provisions for Minor Consent Services:
I understand that in certain circumstances, minors may consent to their own healthcare services without parental consent as permitted by state law (such as reproductive health services, mental health services, substance use disorder treatment, or sexually transmitted infection testing/treatment). In such cases, the minor's authorization may be required for the release of those specific records.

XV. SIGNATURES

By signing below, I acknowledge that I have read and understand this authorization, and I authorize the use and/or disclosure of my protected health information as described in this document.

Patient Signature: _____________________________________
Date: //______
Time: : □ AM □ PM

OR

Personal Representative Signature: _______________________
Date: //______
Time: : □ AM □ PM

XVI. WITNESS (if required by facility policy)

Witness Signature: ____________________________________
Witness Name (printed): _______________________________
Date: //______

XVII. INTERPRETER (if applicable)

Interpreter Signature: _________________________________
Interpreter Name (printed): ____________________________
Language Interpreted: ________________________________
Date: //______

FOR HEALTHCARE PROVIDER USE ONLY

Authorization Received by: ____________________________
Verification Method: _________________________________
Date Processed: //______
Medical Record Updated: □ Yes □ No
Authorization Scanned into Record: □ Yes □ No
Patient/Representative Provided Copy: □ Yes □ No

California Requirements for HIPAA Authorization

Federal Authorization Requirements (45 CFR § 164.508(c))

The authorization must be written in plain language and contain specific elements including a description of the information to be disclosed, the person authorized to make the disclosure, the person to whom the disclosure may be made, an expiration date, and a statement of the individual's right to revoke the authorization.

Core Elements of Authorization (45 CFR § 164.508(c)(1))

The authorization must include a description of the information to be used or disclosed, identification of persons authorized to make the requested use or disclosure, identification of persons to whom the covered entity may make the requested use or disclosure, description of each purpose of the requested use or disclosure, expiration date or event, and signature of the individual with date.

Required Statements (45 CFR § 164.508(c)(2))

The authorization must include statements about the individual's right to revoke the authorization in writing, the ability or inability to condition treatment on the authorization, and the potential for information to be redisclosed by the recipient and no longer protected by the Privacy Rule.

Compound Authorizations (45 CFR § 164.508(b)(3))

An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except in specific circumstances outlined in the regulation.

Prohibition on Conditioning (45 CFR § 164.508(b)(4))

A covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether an individual signs an authorization, except in limited circumstances.

Revocation Rights (45 CFR § 164.508(b)(5))

An individual may revoke an authorization at any time, provided that the revocation is in writing, except to the extent that the covered entity has taken action in reliance on the authorization.

Documentation Requirements (45 CFR § 164.508(b)(6))

A covered entity must document and retain any signed authorization as required by 45 CFR § 164.530(j).

California Confidentiality of Medical Information Act (California Civil Code § 56 et seq.)

California's CMIA provides additional protections for medical information and requires specific authorization for the release of medical information, which must be in a separate document from other legal instruments.

California Authorization Requirements (California Civil Code § 56.11)

Under California law, an authorization for release of medical information must be handwritten by the person signing it or in at least 14-point type, clearly separate from any other language on the same page, and signed and dated by the patient or the patient's legal representative.

California Specific Content Requirements (California Civil Code § 56.11(a)-(g))

California law requires specific content in authorizations including the name of the provider, the name of the person or entity authorized to receive the information, specific types of information to be disclosed, limitations on the use of information, the signature of the patient, and the date of signing.

California Duration Limitation (California Civil Code § 56.11(h))

In California, an authorization for release of medical information is valid for no more than one year after the date it was signed by the patient, unless otherwise specified in the authorization.

California Mental Health Information (California Welfare and Institutions Code § 5328)

Special requirements apply to the disclosure of mental health information in California, requiring specific authorization for the release of psychotherapy notes and information related to mental health services.

California HIV Test Results (California Health and Safety Code § 120980)

California law provides enhanced protections for HIV test results, requiring specific written authorization for disclosure that states 'HIV test' or 'HIV test results' and specifies to whom the disclosure would be made.

California Substance Use Disorder Information (California Health and Safety Code § 11845.5)

California law provides additional protections for information related to substance use disorder treatment, requiring specific authorization for disclosure.

California Genetic Information (California Insurance Code § 10123.35)

California law provides specific protections for genetic information and requires explicit authorization for the disclosure of genetic test results.

California Minor Consent Laws (California Family Code § 6920-6929)

California has specific laws regarding minors' ability to consent to certain types of healthcare and the disclosure of related information, which must be reflected in authorizations involving minors' protected health information.

California Electronic Signature Requirements (California Civil Code § 1633.1 et seq.)

California law recognizes electronic signatures for HIPAA authorizations, but they must comply with both federal ESIGN Act and California's Uniform Electronic Transactions Act requirements.

Psychotherapy Notes (45 CFR § 164.508(b)(3)(ii))

Federal law requires a separate authorization for the use or disclosure of psychotherapy notes, which cannot be combined with an authorization for any other type of protected health information.

Marketing Authorizations (45 CFR § 164.508(a)(3))

If the authorization is for marketing purposes that involve financial remuneration, the authorization must state that such remuneration is involved.

Sale of PHI (45 CFR § 164.508(a)(4))

An authorization for the sale of protected health information must state that the disclosure will result in remuneration to the covered entity.

Frequently Asked Questions

A HIPAA Authorization is a detailed permission form that allows healthcare providers to disclose your protected health information (PHI) to specific individuals or organizations. This document must contain several key elements to be valid: a description of the information to be shared, who can disclose the information, who can receive it, an expiration date or event, the purpose of the disclosure, your signature, and the date. Unlike the general consent forms you sign at medical offices, a HIPAA Authorization gives you granular control over exactly what information is shared and with whom.

Even if you're married, your spouse doesn't automatically have the right to access your medical information under HIPAA privacy rules. A HIPAA Authorization ensures your spouse can communicate with your healthcare providers, access your medical records, and make informed decisions about your care if you're unable to do so. For married couples with children, it's also important to have HIPAA Authorizations for minor children once they become teenagers, as certain sensitive health information may be protected even from parents in some states.

Yes, single individuals without children may have an even greater need for a HIPAA Authorization. Without a spouse or adult children to advocate for you, it's crucial to designate trusted friends, siblings, or other relatives who can access your medical information in an emergency. Without a HIPAA Authorization in place, doctors may be unable to share your medical information with anyone, potentially leaving you without an advocate during a health crisis.

High net worth individuals often have complex financial and estate planning arrangements that can be affected by health conditions. A HIPAA Authorization can allow your financial advisors, trustees, or estate planning attorneys to receive necessary medical information to properly manage your affairs if you become incapacitated. Additionally, it provides an extra layer of privacy protection by specifically limiting who can access your sensitive health information, which may be particularly important for individuals with significant public profiles or privacy concerns.

While related, these documents serve different purposes. A healthcare power of attorney (or healthcare proxy) appoints someone to make medical decisions on your behalf if you're unable to do so. A HIPAA Authorization, on the other hand, simply allows healthcare providers to share your medical information with designated individuals—it doesn't grant decision-making authority. For comprehensive protection, most estate planning attorneys recommend having both documents as part of your healthcare planning.

Yes, one of the key benefits of a HIPAA Authorization is that you can be very specific about what information can be disclosed. You can limit the authorization to certain conditions (like only sharing information about a specific diagnosis), certain time periods, or certain types of records. For example, you might authorize sharing of your general medical information but exclude mental health records, substance abuse treatment information, or genetic testing results.

A HIPAA Authorization must include an expiration date or expiration event. This could be a specific date (like one year from signing), the occurrence of an event (like 'until the conclusion of my cancer treatment'), or even 'end of the research study' for research-related authorizations. You can also revoke a HIPAA Authorization at any time by providing written notice to the healthcare provider or entity that originally received the authorization.

While many healthcare providers have their own HIPAA Authorization forms, these are often limited in scope. For comprehensive protection as part of your estate planning, it's advisable to have a HIPAA Authorization drafted by an attorney who specializes in estate planning or healthcare law. This ensures the document will be properly integrated with your other advance directives and estate planning documents. Some estate planning software packages also include HIPAA Authorization templates, though these should be reviewed carefully to ensure they meet your specific needs.