DocDraft Logo

HIPAA Authorization: What You Need to Know to Protect Your Medical Privacy

Learn about HIPAA Authorization forms, why they matter for your healthcare privacy, and how to use them effectively regardless of your family or financial situation.

Introduction

A HIPAA Authorization is a legal document that gives healthcare providers permission to share your protected health information with specific people or organizations. Unlike the basic HIPAA privacy notices you routinely sign at doctor's offices, a HIPAA Authorization provides you with control over who can access your medical information beyond your direct healthcare providers. Whether you're married with children, single, or have significant assets to protect, understanding how to use HIPAA Authorizations effectively is crucial for maintaining privacy while ensuring your loved ones can help during medical emergencies.

Key Things to Know

  1. 1

    HIPAA Authorizations are revocable at any time—you can change your mind about who has access to your information.

  2. 2

    Without a HIPAA Authorization, healthcare providers may be legally prohibited from sharing your medical information, even with close family members.

  3. 3

    Consider updating your HIPAA Authorization after major life events such as marriage, divorce, or when children reach adulthood.

  4. 4

    Be specific about what information can be shared—you can exclude sensitive information like mental health records or genetic testing if desired.

  5. 5

    Keep copies of your signed HIPAA Authorization with your other important documents and provide copies to your designated representatives.

  6. 6

    A HIPAA Authorization works best when paired with other healthcare documents like an advance directive and healthcare power of attorney.

  7. 7

    Different healthcare systems may have their own HIPAA Authorization forms, so you may need to complete multiple forms for different providers.

Key Decisions

Single individuals without children

High net worth individuals

Married individuals with children

Customize your HIPAA Authorization Template with DocDraft

AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA)

I. PATIENT INFORMATION

Full Legal Name: ______________________________________
Date of Birth: //________
Address: ____________________________________________
City, State, Zip: ______________________________________
Phone Number: (___) -
Email Address: _______________________________________
Medical Record Number: ______________________________
Other Identifier (if applicable): _________________________

II. AUTHORIZATION

I hereby authorize the use and/or disclosure of my protected health information as described below. I understand that this authorization is voluntary and that I may refuse to sign it. I further understand that my treatment, payment, enrollment in a health plan, or eligibility for benefits will not be conditioned upon my providing this authorization except in limited circumstances as permitted by law.

III. AUTHORIZED RECIPIENTS

I authorize the following person(s) and/or organization(s) to receive my protected health information:

Recipient 1:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 2:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 3:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

IV. PURPOSE OF DISCLOSURE

The protected health information is being disclosed for the following purpose(s): (Check all that apply)

□ At the request of the patient or personal representative
□ Continuity of medical care
□ Insurance/benefits eligibility or claims
□ Legal proceedings or representation
□ Disability determination
□ Workers' compensation
□ Personal records/use
□ Other (specify): _______________________________________

V. INFORMATION TO BE DISCLOSED

A. Scope of Information
(Check all that apply)

□ Complete medical record
□ Hospital/inpatient records
□ Outpatient/clinic records
□ Emergency department records
□ Laboratory results
□ Radiology/imaging reports
□ Pathology reports
□ Consultation reports
□ Progress notes
□ Physician orders
□ Nursing notes
□ Medication records
□ Immunization records
□ Billing and payment records
□ Other (specify): _______________________________________

B. Date Range of Records
(Check one)

□ All records regardless of date
□ Records from //______ to //______
□ Records created up to and including the date of this authorization
□ Records created after the date of this authorization until its expiration
□ Other (specify): _______________________________________

C. Sensitive Information
I understand that certain types of sensitive health information require specific authorization for disclosure. By initialing below, I specifically authorize the disclosure of the following types of sensitive information (if such information exists in my records) for the time period specified above:

_____ Mental health treatment information (excluding psychotherapy notes)
_____ Substance use disorder diagnosis, treatment, or referral information
_____ HIV/AIDS testing, diagnosis, or treatment information
_____ Sexually transmitted disease information
_____ Genetic testing/information
_____ Reproductive health information (including abortion records)
_____ Domestic/sexual violence information

Note regarding Psychotherapy Notes: This authorization DOES NOT include permission to release psychotherapy notes. Under HIPAA, psychotherapy notes are defined as notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session that are kept separate from the rest of the medical record. Release of psychotherapy notes requires a separate authorization form.

VI. TIME LIMITATIONS AND EXPIRATION

This authorization will remain in effect: (Check one)

□ From the date of this authorization until: //______
□ Until the following event occurs: _________________________
□ For one (1) year from the date of signature below
□ Until the purpose of the disclosure is fulfilled
□ Other (specify): _______________________________________

VII. YOUR RIGHTS REGARDING THIS AUTHORIZATION

A. Right to Revoke: I understand that I have the right to revoke this authorization, in writing, at any time by sending written notification to:

I understand that my revocation will not be effective to the extent that action has already been taken in reliance on this authorization, or if this authorization was obtained as a condition of obtaining insurance coverage and the law provides the insurer with the right to contest a claim under the policy or to contest the policy itself.

B. Right to Inspect or Copy: I understand that I have the right to inspect or copy the protected health information that may be used or disclosed pursuant to this authorization, as provided in the HIPAA Privacy Rule.

C. Right to Receive Copy: I understand that I have the right to receive a copy of this signed authorization.

VIII. REDISCLOSURE NOTICE

I understand that information disclosed pursuant to this authorization may be subject to redisclosure by the recipient(s) and may no longer be protected by federal or state privacy laws, including HIPAA. The healthcare provider, its employees, officers, and physicians are hereby released from any legal responsibility or liability for disclosure of the above information to the extent indicated and authorized herein.

IX. TREATMENT, PAYMENT, ENROLLMENT, OR ELIGIBILITY FOR BENEFITS

I understand that Name of Healthcare Provider/Organization _________________ may not condition my treatment, payment, enrollment in a health plan, or eligibility for benefits on whether I sign this authorization, except:

  1. If the authorization is for research-related treatment, in which case treatment may be conditioned on my signing this form;
  2. If the purpose of the authorization is to determine my eligibility for enrollment or underwriting; or
  3. If the authorization is solely for the purpose of creating protected health information for disclosure to a third party (such as pre-employment physicals or life insurance examinations).

X. POTENTIAL FOR FINANCIAL GAIN

□ I understand that Name of Healthcare Provider/Organization _________________ □ will □ will not receive direct or indirect compensation or remuneration from a third party in exchange for using or disclosing my health information.

XI. SPECIAL PROVISIONS

A. Substance Use Disorder Records (42 CFR Part 2 Compliance):
If this authorization includes the release of information related to substance use disorder diagnosis, treatment, or referral, I understand that such information is protected by federal confidentiality rules (42 CFR Part 2). These rules prohibit recipients from making any further disclosure of substance use disorder information unless further disclosure is expressly permitted by my written authorization or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any substance use disorder patient.

B. Research-Related Disclosures (if applicable):
□ This authorization is for research purposes. I understand the following:

  • Description of the research: _________________________
  • Potential risks and benefits: _________________________
  • My right to refuse participation without affecting my care: _________________________

C. Marketing-Related Disclosures (if applicable):
□ This authorization is for marketing purposes. I understand the following:

  • Description of marketing activity: _________________________
  • Whether the provider will receive financial remuneration: □ Yes □ No
  • My right to revoke specifically for this purpose: _________________________

XII. STATE LAW COMPLIANCE

I understand that my health information may be protected by state laws that provide more stringent protections than federal law. This authorization is intended to comply with all applicable state laws, including but not limited to laws regarding mental health, developmental disabilities, substance use disorders, communicable diseases, genetic information, and reproductive health.

XIII. PERSONAL REPRESENTATIVE INFORMATION (if applicable)

If this authorization is being signed by a personal representative of the patient:

Name of Personal Representative: _________________________
Relationship to Patient: _________________________________
Legal Authority: □ Parent of Minor □ Legal Guardian □ Power of Attorney for Healthcare □ Other (specify): _________________________

Documentation: I have attached the following documentation of my authority to act for the patient (check all that apply): □ Court Order □ Power of Attorney □ Guardianship Papers □ Other: _________________________

XIV. MINOR PATIENT PROVISIONS (if applicable)

For patients under 18 years of age:

A. Parental/Guardian Authorization:
I affirm that I am the parent or legal guardian of the minor patient named above and have legal authority to make healthcare decisions for this minor patient.

B. Special Provisions for Minor Consent Services:
I understand that in certain circumstances, minors may consent to their own healthcare services without parental consent as permitted by state law (such as reproductive health services, mental health services, substance use disorder treatment, or sexually transmitted infection testing/treatment). In such cases, the minor's authorization may be required for the release of those specific records.

XV. SIGNATURES

By signing below, I acknowledge that I have read and understand this authorization, and I authorize the use and/or disclosure of my protected health information as described in this document.

Patient Signature: _____________________________________
Date: //______
Time: : □ AM □ PM

OR

Personal Representative Signature: _______________________
Date: //______
Time: : □ AM □ PM

XVI. WITNESS (if required by facility policy)

Witness Signature: ____________________________________
Witness Name (printed): _______________________________
Date: //______

XVII. INTERPRETER (if applicable)

Interpreter Signature: _________________________________
Interpreter Name (printed): ____________________________
Language Interpreted: ________________________________
Date: //______

FOR HEALTHCARE PROVIDER USE ONLY

Authorization Received by: ____________________________
Verification Method: _________________________________
Date Processed: //______
Medical Record Updated: □ Yes □ No
Authorization Scanned into Record: □ Yes □ No
Patient/Representative Provided Copy: □ Yes □ No

Virginia Requirements for HIPAA Authorization

Federal Authorization Requirements (45 CFR § 164.508(c))

The HIPAA Authorization must be written in plain language and contain specific elements including a description of the information to be disclosed, the person authorized to make the disclosure, the person to whom the disclosure may be made, an expiration date, and a statement of the individual's right to revoke the authorization.

Separate Authorization Requirement (45 CFR § 164.508(b)(3))

The authorization must be separate from other documents and cannot be combined with other legal permissions. It must be clearly distinguishable when combined with other documents.

Prohibition on Conditioning (45 CFR § 164.508(b)(4))

Healthcare providers cannot condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs an authorization, with limited exceptions.

Right to Revoke (45 CFR § 164.508(c)(2)(i))

The authorization must include a statement of the individual's right to revoke the authorization in writing, and either the exceptions to the right to revoke and a description of how to revoke, or a reference to the corresponding notice of privacy practices.

Re-disclosure Statement (45 CFR § 164.508(c)(2)(iii))

The authorization must include a statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule.

Virginia Health Records Privacy Act Compliance (Virginia Code § 32.1-127.1:03)

The authorization must comply with Virginia's Health Records Privacy Act, which provides additional protections for health records beyond HIPAA and may require specific language for authorizations.

Virginia Mental Health Record Protections (Virginia Code § 32.1-127.1:03(D))

Special provisions apply to the disclosure of mental health records in Virginia, requiring specific authorization language for the release of such information.

Virginia HIV/AIDS Information Protection (Virginia Code § 32.1-36.1)

Virginia law provides additional protections for HIV/AIDS-related information, requiring specific authorization for disclosure of such information.

Virginia Substance Abuse Record Protection (Virginia Code § 32.1-127.1:03 and 42 CFR Part 2)

Virginia law requires specific authorization for the disclosure of substance abuse treatment records, consistent with federal regulations.

Virginia Electronic Health Records Provisions (Virginia Code § 32.1-276.9)

Virginia has specific provisions regarding electronic health records and health information exchanges that may affect how authorizations are processed electronically.

Genetic Information Protection (Virginia Code § 38.2-508.4 and 45 CFR § 164.502(a)(5)(i))

Authorization must specifically address the disclosure of genetic information in accordance with both federal GINA protections and Virginia state law.

Psychotherapy Notes (45 CFR § 164.508(a)(2))

A separate authorization is required for the use or disclosure of psychotherapy notes, with specific exceptions outlined in federal regulations.

Marketing Authorizations (45 CFR § 164.508(a)(3))

If the authorization is for marketing purposes, it must state if the marketing involves direct or indirect remuneration to the covered entity from a third party.

Virginia Personal Information Protection Act (Virginia Code § 18.2-186.6)

The authorization must consider Virginia's Personal Information Protection Act requirements regarding the protection of personal information, which may include health information.

Minors' Health Information (Virginia Code § 54.1-2969)

Virginia law has specific provisions regarding minors' consent and the disclosure of their health information, which must be reflected in the authorization when applicable.

Virginia Consumer Data Protection Act (Virginia Code § 59.1-575 et seq.)

The authorization should consider Virginia's Consumer Data Protection Act requirements when health information may be processed by entities covered by this law.

Copy Provision (45 CFR § 164.508(c)(4))

The authorization must include a statement that the individual is entitled to receive a copy of the authorization.

Expiration Requirement (45 CFR § 164.508(c)(1)(v))

The authorization must include an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure.

Signature and Date (45 CFR § 164.508(c)(1)(vi))

The authorization must be signed by the individual and dated. If signed by a personal representative, a description of the representative's authority must be provided.

Virginia Electronic Transactions Act (Virginia Code § 59.1-479 et seq.)

Electronic signatures on HIPAA authorizations must comply with Virginia's Electronic Transactions Act for validity and enforceability.

Frequently Asked Questions

A HIPAA Authorization is a detailed permission form that allows healthcare providers to disclose your protected health information (PHI) to specific individuals or organizations. This document must contain several key elements to be valid: a description of the information to be shared, who can disclose the information, who can receive it, an expiration date or event, the purpose of the disclosure, your signature, and the date. Unlike the general consent forms you sign at medical offices, a HIPAA Authorization gives you granular control over exactly what information is shared and with whom.

Even if you're married, your spouse doesn't automatically have the right to access your medical information under HIPAA privacy rules. A HIPAA Authorization ensures your spouse can communicate with your healthcare providers, access your medical records, and make informed decisions about your care if you're unable to do so. For married couples with children, it's also important to have HIPAA Authorizations for minor children once they become teenagers, as certain sensitive health information may be protected even from parents in some states.

Yes, single individuals without children may have an even greater need for a HIPAA Authorization. Without a spouse or adult children to advocate for you, it's crucial to designate trusted friends, siblings, or other relatives who can access your medical information in an emergency. Without a HIPAA Authorization in place, doctors may be unable to share your medical information with anyone, potentially leaving you without an advocate during a health crisis.

High net worth individuals often have complex financial and estate planning arrangements that can be affected by health conditions. A HIPAA Authorization can allow your financial advisors, trustees, or estate planning attorneys to receive necessary medical information to properly manage your affairs if you become incapacitated. Additionally, it provides an extra layer of privacy protection by specifically limiting who can access your sensitive health information, which may be particularly important for individuals with significant public profiles or privacy concerns.

While related, these documents serve different purposes. A healthcare power of attorney (or healthcare proxy) appoints someone to make medical decisions on your behalf if you're unable to do so. A HIPAA Authorization, on the other hand, simply allows healthcare providers to share your medical information with designated individuals—it doesn't grant decision-making authority. For comprehensive protection, most estate planning attorneys recommend having both documents as part of your healthcare planning.

Yes, one of the key benefits of a HIPAA Authorization is that you can be very specific about what information can be disclosed. You can limit the authorization to certain conditions (like only sharing information about a specific diagnosis), certain time periods, or certain types of records. For example, you might authorize sharing of your general medical information but exclude mental health records, substance abuse treatment information, or genetic testing results.

A HIPAA Authorization must include an expiration date or expiration event. This could be a specific date (like one year from signing), the occurrence of an event (like 'until the conclusion of my cancer treatment'), or even 'end of the research study' for research-related authorizations. You can also revoke a HIPAA Authorization at any time by providing written notice to the healthcare provider or entity that originally received the authorization.

While many healthcare providers have their own HIPAA Authorization forms, these are often limited in scope. For comprehensive protection as part of your estate planning, it's advisable to have a HIPAA Authorization drafted by an attorney who specializes in estate planning or healthcare law. This ensures the document will be properly integrated with your other advance directives and estate planning documents. Some estate planning software packages also include HIPAA Authorization templates, though these should be reviewed carefully to ensure they meet your specific needs.