DocDraft Logo

HIPAA Authorization: What You Need to Know to Protect Your Medical Privacy

Learn about HIPAA Authorization forms, why they matter for your healthcare privacy, and how to use them effectively regardless of your family or financial situation.

Introduction

A HIPAA Authorization is a legal document that gives healthcare providers permission to share your protected health information with specific people or organizations. Unlike the basic HIPAA privacy notices you routinely sign at doctor's offices, a HIPAA Authorization provides you with control over who can access your medical information beyond your direct healthcare providers. Whether you're married with children, single, or have significant assets to protect, understanding how to use HIPAA Authorizations effectively is crucial for maintaining privacy while ensuring your loved ones can help during medical emergencies.

Key Things to Know

  1. 1

    HIPAA Authorizations are revocable at any time—you can change your mind about who has access to your information.

  2. 2

    Without a HIPAA Authorization, healthcare providers may be legally prohibited from sharing your medical information, even with close family members.

  3. 3

    Consider updating your HIPAA Authorization after major life events such as marriage, divorce, or when children reach adulthood.

  4. 4

    Be specific about what information can be shared—you can exclude sensitive information like mental health records or genetic testing if desired.

  5. 5

    Keep copies of your signed HIPAA Authorization with your other important documents and provide copies to your designated representatives.

  6. 6

    A HIPAA Authorization works best when paired with other healthcare documents like an advance directive and healthcare power of attorney.

  7. 7

    Different healthcare systems may have their own HIPAA Authorization forms, so you may need to complete multiple forms for different providers.

Key Decisions

Single individuals without children

High net worth individuals

Married individuals with children

Customize your HIPAA Authorization Template with DocDraft

AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA)

I. PATIENT INFORMATION

Full Legal Name: ______________________________________
Date of Birth: //________
Address: ____________________________________________
City, State, Zip: ______________________________________
Phone Number: (___) -
Email Address: _______________________________________
Medical Record Number: ______________________________
Other Identifier (if applicable): _________________________

II. AUTHORIZATION

I hereby authorize the use and/or disclosure of my protected health information as described below. I understand that this authorization is voluntary and that I may refuse to sign it. I further understand that my treatment, payment, enrollment in a health plan, or eligibility for benefits will not be conditioned upon my providing this authorization except in limited circumstances as permitted by law.

III. AUTHORIZED RECIPIENTS

I authorize the following person(s) and/or organization(s) to receive my protected health information:

Recipient 1:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 2:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 3:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

IV. PURPOSE OF DISCLOSURE

The protected health information is being disclosed for the following purpose(s): (Check all that apply)

□ At the request of the patient or personal representative
□ Continuity of medical care
□ Insurance/benefits eligibility or claims
□ Legal proceedings or representation
□ Disability determination
□ Workers' compensation
□ Personal records/use
□ Other (specify): _______________________________________

V. INFORMATION TO BE DISCLOSED

A. Scope of Information
(Check all that apply)

□ Complete medical record
□ Hospital/inpatient records
□ Outpatient/clinic records
□ Emergency department records
□ Laboratory results
□ Radiology/imaging reports
□ Pathology reports
□ Consultation reports
□ Progress notes
□ Physician orders
□ Nursing notes
□ Medication records
□ Immunization records
□ Billing and payment records
□ Other (specify): _______________________________________

B. Date Range of Records
(Check one)

□ All records regardless of date
□ Records from //______ to //______
□ Records created up to and including the date of this authorization
□ Records created after the date of this authorization until its expiration
□ Other (specify): _______________________________________

C. Sensitive Information
I understand that certain types of sensitive health information require specific authorization for disclosure. By initialing below, I specifically authorize the disclosure of the following types of sensitive information (if such information exists in my records) for the time period specified above:

_____ Mental health treatment information (excluding psychotherapy notes)
_____ Substance use disorder diagnosis, treatment, or referral information
_____ HIV/AIDS testing, diagnosis, or treatment information
_____ Sexually transmitted disease information
_____ Genetic testing/information
_____ Reproductive health information (including abortion records)
_____ Domestic/sexual violence information

Note regarding Psychotherapy Notes: This authorization DOES NOT include permission to release psychotherapy notes. Under HIPAA, psychotherapy notes are defined as notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session that are kept separate from the rest of the medical record. Release of psychotherapy notes requires a separate authorization form.

VI. TIME LIMITATIONS AND EXPIRATION

This authorization will remain in effect: (Check one)

□ From the date of this authorization until: //______
□ Until the following event occurs: _________________________
□ For one (1) year from the date of signature below
□ Until the purpose of the disclosure is fulfilled
□ Other (specify): _______________________________________

VII. YOUR RIGHTS REGARDING THIS AUTHORIZATION

A. Right to Revoke: I understand that I have the right to revoke this authorization, in writing, at any time by sending written notification to:

I understand that my revocation will not be effective to the extent that action has already been taken in reliance on this authorization, or if this authorization was obtained as a condition of obtaining insurance coverage and the law provides the insurer with the right to contest a claim under the policy or to contest the policy itself.

B. Right to Inspect or Copy: I understand that I have the right to inspect or copy the protected health information that may be used or disclosed pursuant to this authorization, as provided in the HIPAA Privacy Rule.

C. Right to Receive Copy: I understand that I have the right to receive a copy of this signed authorization.

VIII. REDISCLOSURE NOTICE

I understand that information disclosed pursuant to this authorization may be subject to redisclosure by the recipient(s) and may no longer be protected by federal or state privacy laws, including HIPAA. The healthcare provider, its employees, officers, and physicians are hereby released from any legal responsibility or liability for disclosure of the above information to the extent indicated and authorized herein.

IX. TREATMENT, PAYMENT, ENROLLMENT, OR ELIGIBILITY FOR BENEFITS

I understand that Name of Healthcare Provider/Organization _________________ may not condition my treatment, payment, enrollment in a health plan, or eligibility for benefits on whether I sign this authorization, except:

  1. If the authorization is for research-related treatment, in which case treatment may be conditioned on my signing this form;
  2. If the purpose of the authorization is to determine my eligibility for enrollment or underwriting; or
  3. If the authorization is solely for the purpose of creating protected health information for disclosure to a third party (such as pre-employment physicals or life insurance examinations).

X. POTENTIAL FOR FINANCIAL GAIN

□ I understand that Name of Healthcare Provider/Organization _________________ □ will □ will not receive direct or indirect compensation or remuneration from a third party in exchange for using or disclosing my health information.

XI. SPECIAL PROVISIONS

A. Substance Use Disorder Records (42 CFR Part 2 Compliance):
If this authorization includes the release of information related to substance use disorder diagnosis, treatment, or referral, I understand that such information is protected by federal confidentiality rules (42 CFR Part 2). These rules prohibit recipients from making any further disclosure of substance use disorder information unless further disclosure is expressly permitted by my written authorization or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any substance use disorder patient.

B. Research-Related Disclosures (if applicable):
□ This authorization is for research purposes. I understand the following:

  • Description of the research: _________________________
  • Potential risks and benefits: _________________________
  • My right to refuse participation without affecting my care: _________________________

C. Marketing-Related Disclosures (if applicable):
□ This authorization is for marketing purposes. I understand the following:

  • Description of marketing activity: _________________________
  • Whether the provider will receive financial remuneration: □ Yes □ No
  • My right to revoke specifically for this purpose: _________________________

XII. STATE LAW COMPLIANCE

I understand that my health information may be protected by state laws that provide more stringent protections than federal law. This authorization is intended to comply with all applicable state laws, including but not limited to laws regarding mental health, developmental disabilities, substance use disorders, communicable diseases, genetic information, and reproductive health.

XIII. PERSONAL REPRESENTATIVE INFORMATION (if applicable)

If this authorization is being signed by a personal representative of the patient:

Name of Personal Representative: _________________________
Relationship to Patient: _________________________________
Legal Authority: □ Parent of Minor □ Legal Guardian □ Power of Attorney for Healthcare □ Other (specify): _________________________

Documentation: I have attached the following documentation of my authority to act for the patient (check all that apply): □ Court Order □ Power of Attorney □ Guardianship Papers □ Other: _________________________

XIV. MINOR PATIENT PROVISIONS (if applicable)

For patients under 18 years of age:

A. Parental/Guardian Authorization:
I affirm that I am the parent or legal guardian of the minor patient named above and have legal authority to make healthcare decisions for this minor patient.

B. Special Provisions for Minor Consent Services:
I understand that in certain circumstances, minors may consent to their own healthcare services without parental consent as permitted by state law (such as reproductive health services, mental health services, substance use disorder treatment, or sexually transmitted infection testing/treatment). In such cases, the minor's authorization may be required for the release of those specific records.

XV. SIGNATURES

By signing below, I acknowledge that I have read and understand this authorization, and I authorize the use and/or disclosure of my protected health information as described in this document.

Patient Signature: _____________________________________
Date: //______
Time: : □ AM □ PM

OR

Personal Representative Signature: _______________________
Date: //______
Time: : □ AM □ PM

XVI. WITNESS (if required by facility policy)

Witness Signature: ____________________________________
Witness Name (printed): _______________________________
Date: //______

XVII. INTERPRETER (if applicable)

Interpreter Signature: _________________________________
Interpreter Name (printed): ____________________________
Language Interpreted: ________________________________
Date: //______

FOR HEALTHCARE PROVIDER USE ONLY

Authorization Received by: ____________________________
Verification Method: _________________________________
Date Processed: //______
Medical Record Updated: □ Yes □ No
Authorization Scanned into Record: □ Yes □ No
Patient/Representative Provided Copy: □ Yes □ No

New Jersey Requirements for HIPAA Authorization

Federal Authorization Requirements (45 CFR § 164.508(c))

The HIPAA Authorization must be written in plain language and contain specific elements including a description of the information to be disclosed, the person authorized to make the disclosure, the person to whom the disclosure may be made, an expiration date, and a statement of the individual's right to revoke the authorization.

Core Elements of Authorization (45 CFR § 164.508(c)(1))

The authorization must include a description of the information to be used or disclosed, the name of the person(s) authorized to make the requested use or disclosure, the name of the person(s) to whom the covered entity may make the disclosure, an expiration date or event, and the signature of the individual and date.

Required Statements (45 CFR § 164.508(c)(2))

The authorization must include statements about the individual's right to revoke the authorization in writing, the ability or inability to condition treatment on the authorization, and the potential for information to be redisclosed by the recipient and no longer protected by HIPAA.

New Jersey Health Information Exchange (N.J.A.C. 8:57-3.19)

For authorizations involving the New Jersey Health Information Exchange (NJHIN), the document must comply with state-specific requirements for electronic health information exchange and explicitly state whether data may be shared through the NJHIN.

Mental Health Records (N.J.S.A. 30:4-24.3)

For disclosure of mental health records in New Jersey, the authorization must specifically indicate that mental health information is being disclosed and may require additional protections beyond standard HIPAA requirements.

HIV/AIDS Information (N.J.S.A. 26:5C-1 et seq.)

New Jersey law requires specific and explicit authorization for the disclosure of HIV/AIDS-related information, with clear statements about the purpose of disclosure and potential consequences of release.

Substance Use Disorder Records (N.J.S.A. 26:2B-15; 42 CFR Part 2)

For substance use disorder records, both federal regulations (42 CFR Part 2) and New Jersey law require specific authorization elements beyond HIPAA, including explicit consent for each disclosure and prohibition on redisclosure.

Genetic Information (N.J.S.A. 10:5-45)

New Jersey's Genetic Privacy Act requires specific authorization for the disclosure of genetic information, with explicit statements about the purpose and limitations of disclosure.

Minors' Health Information (N.J.S.A. 9:17A-4; N.J.S.A. 9:17A-1 et seq.)

For minors in New Jersey, special rules apply to authorizations for certain sensitive services (reproductive health, substance use, mental health) that minors can consent to without parental involvement, requiring compliance with both HIPAA and state minor consent laws.

Prohibition on Remuneration (45 CFR § 164.508(a)(4))

The authorization must disclose if the disclosure will result in remuneration to the covered entity from the recipient of the PHI, as required by the HITECH Act amendments to HIPAA.

Marketing Disclosures (45 CFR § 164.508(a)(3))

If the authorization is for marketing purposes, it must state if the marketing involves direct or indirect remuneration to the covered entity from a third party.

Research Participation (45 CFR § 164.508(c)(1)(v))

For research-related disclosures, the authorization must meet specific requirements including a description of the research study, expiration tied to the research, and statements about conditions for treatment related to research participation.

Psychotherapy Notes (45 CFR § 164.508(b)(3)(ii))

For disclosure of psychotherapy notes, a separate authorization specific to psychotherapy notes is required and cannot be combined with authorizations for other health information.

New Jersey Patient Safety Act (N.J.S.A. 26:2H-12.23 et seq.)

For disclosures related to patient safety events or information reported to Patient Safety Organizations, the authorization must comply with New Jersey's Patient Safety Act protections and explicitly state that such information is being disclosed.

Electronic Signatures (N.J.S.A. 12A:12-1 et seq.)

New Jersey follows the Uniform Electronic Transactions Act, allowing for electronic signatures on HIPAA Authorizations if proper authentication and security measures are in place to verify the signer's identity.

Compound Authorizations (45 CFR § 164.508(b)(3))

HIPAA prohibits combining authorizations with other documents (like consent to treatment) except in specific circumstances. The authorization must be separate or clearly distinguishable from other documents.

Copy to Individual (45 CFR § 164.508(c)(4))

The covered entity must provide a copy of the signed authorization to the individual, as required by federal HIPAA regulations.

New Jersey Medical Records Access (N.J.A.C. 8:43G-15.3)

The authorization must comply with New Jersey's laws regarding patient access to medical records, including provisions for reasonable fees for copies and timelines for providing access.

Specially Protected Information (N.J.S.A. 26:4-41)

New Jersey law requires that authorizations for specially protected health information (including sexually transmitted diseases, tuberculosis, and certain other conditions) contain specific statements about the sensitivity of the information being disclosed.

Revocation Process (45 CFR § 164.508(c)(2)(i); N.J.A.C. 13:35-6.5)

The authorization must describe the process for revocation, including where and how to submit a revocation request, in compliance with both federal HIPAA requirements and New Jersey state law.

Frequently Asked Questions

A HIPAA Authorization is a detailed permission form that allows healthcare providers to disclose your protected health information (PHI) to specific individuals or organizations. This document must contain several key elements to be valid: a description of the information to be shared, who can disclose the information, who can receive it, an expiration date or event, the purpose of the disclosure, your signature, and the date. Unlike the general consent forms you sign at medical offices, a HIPAA Authorization gives you granular control over exactly what information is shared and with whom.

Even if you're married, your spouse doesn't automatically have the right to access your medical information under HIPAA privacy rules. A HIPAA Authorization ensures your spouse can communicate with your healthcare providers, access your medical records, and make informed decisions about your care if you're unable to do so. For married couples with children, it's also important to have HIPAA Authorizations for minor children once they become teenagers, as certain sensitive health information may be protected even from parents in some states.

Yes, single individuals without children may have an even greater need for a HIPAA Authorization. Without a spouse or adult children to advocate for you, it's crucial to designate trusted friends, siblings, or other relatives who can access your medical information in an emergency. Without a HIPAA Authorization in place, doctors may be unable to share your medical information with anyone, potentially leaving you without an advocate during a health crisis.

High net worth individuals often have complex financial and estate planning arrangements that can be affected by health conditions. A HIPAA Authorization can allow your financial advisors, trustees, or estate planning attorneys to receive necessary medical information to properly manage your affairs if you become incapacitated. Additionally, it provides an extra layer of privacy protection by specifically limiting who can access your sensitive health information, which may be particularly important for individuals with significant public profiles or privacy concerns.

While related, these documents serve different purposes. A healthcare power of attorney (or healthcare proxy) appoints someone to make medical decisions on your behalf if you're unable to do so. A HIPAA Authorization, on the other hand, simply allows healthcare providers to share your medical information with designated individuals—it doesn't grant decision-making authority. For comprehensive protection, most estate planning attorneys recommend having both documents as part of your healthcare planning.

Yes, one of the key benefits of a HIPAA Authorization is that you can be very specific about what information can be disclosed. You can limit the authorization to certain conditions (like only sharing information about a specific diagnosis), certain time periods, or certain types of records. For example, you might authorize sharing of your general medical information but exclude mental health records, substance abuse treatment information, or genetic testing results.

A HIPAA Authorization must include an expiration date or expiration event. This could be a specific date (like one year from signing), the occurrence of an event (like 'until the conclusion of my cancer treatment'), or even 'end of the research study' for research-related authorizations. You can also revoke a HIPAA Authorization at any time by providing written notice to the healthcare provider or entity that originally received the authorization.

While many healthcare providers have their own HIPAA Authorization forms, these are often limited in scope. For comprehensive protection as part of your estate planning, it's advisable to have a HIPAA Authorization drafted by an attorney who specializes in estate planning or healthcare law. This ensures the document will be properly integrated with your other advance directives and estate planning documents. Some estate planning software packages also include HIPAA Authorization templates, though these should be reviewed carefully to ensure they meet your specific needs.