DocDraft Logo

HIPAA Authorization: What You Need to Know to Protect Your Medical Privacy

Learn about HIPAA Authorization forms, why they matter for your healthcare privacy, and how to use them effectively regardless of your family or financial situation.

Introduction

A HIPAA Authorization is a legal document that gives healthcare providers permission to share your protected health information with specific people or organizations. Unlike the basic HIPAA privacy notices you routinely sign at doctor's offices, a HIPAA Authorization provides you with control over who can access your medical information beyond your direct healthcare providers. Whether you're married with children, single, or have significant assets to protect, understanding how to use HIPAA Authorizations effectively is crucial for maintaining privacy while ensuring your loved ones can help during medical emergencies.

Key Things to Know

  1. 1

    HIPAA Authorizations are revocable at any time—you can change your mind about who has access to your information.

  2. 2

    Without a HIPAA Authorization, healthcare providers may be legally prohibited from sharing your medical information, even with close family members.

  3. 3

    Consider updating your HIPAA Authorization after major life events such as marriage, divorce, or when children reach adulthood.

  4. 4

    Be specific about what information can be shared—you can exclude sensitive information like mental health records or genetic testing if desired.

  5. 5

    Keep copies of your signed HIPAA Authorization with your other important documents and provide copies to your designated representatives.

  6. 6

    A HIPAA Authorization works best when paired with other healthcare documents like an advance directive and healthcare power of attorney.

  7. 7

    Different healthcare systems may have their own HIPAA Authorization forms, so you may need to complete multiple forms for different providers.

Key Decisions

Single individuals without children

High net worth individuals

Married individuals with children

Customize your HIPAA Authorization Template with DocDraft

AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA)

I. PATIENT INFORMATION

Full Legal Name: ______________________________________
Date of Birth: //________
Address: ____________________________________________
City, State, Zip: ______________________________________
Phone Number: (___) -
Email Address: _______________________________________
Medical Record Number: ______________________________
Other Identifier (if applicable): _________________________

II. AUTHORIZATION

I hereby authorize the use and/or disclosure of my protected health information as described below. I understand that this authorization is voluntary and that I may refuse to sign it. I further understand that my treatment, payment, enrollment in a health plan, or eligibility for benefits will not be conditioned upon my providing this authorization except in limited circumstances as permitted by law.

III. AUTHORIZED RECIPIENTS

I authorize the following person(s) and/or organization(s) to receive my protected health information:

Recipient 1:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 2:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

Recipient 3:
Name/Organization: ______________________________________
Relationship to Patient: ___________________________________
Address: _______________________________________________
City, State, Zip: _________________________________________
Phone Number: (___) -
Email Address: _________________________________________

IV. PURPOSE OF DISCLOSURE

The protected health information is being disclosed for the following purpose(s): (Check all that apply)

□ At the request of the patient or personal representative
□ Continuity of medical care
□ Insurance/benefits eligibility or claims
□ Legal proceedings or representation
□ Disability determination
□ Workers' compensation
□ Personal records/use
□ Other (specify): _______________________________________

V. INFORMATION TO BE DISCLOSED

A. Scope of Information
(Check all that apply)

□ Complete medical record
□ Hospital/inpatient records
□ Outpatient/clinic records
□ Emergency department records
□ Laboratory results
□ Radiology/imaging reports
□ Pathology reports
□ Consultation reports
□ Progress notes
□ Physician orders
□ Nursing notes
□ Medication records
□ Immunization records
□ Billing and payment records
□ Other (specify): _______________________________________

B. Date Range of Records
(Check one)

□ All records regardless of date
□ Records from //______ to //______
□ Records created up to and including the date of this authorization
□ Records created after the date of this authorization until its expiration
□ Other (specify): _______________________________________

C. Sensitive Information
I understand that certain types of sensitive health information require specific authorization for disclosure. By initialing below, I specifically authorize the disclosure of the following types of sensitive information (if such information exists in my records) for the time period specified above:

_____ Mental health treatment information (excluding psychotherapy notes)
_____ Substance use disorder diagnosis, treatment, or referral information
_____ HIV/AIDS testing, diagnosis, or treatment information
_____ Sexually transmitted disease information
_____ Genetic testing/information
_____ Reproductive health information (including abortion records)
_____ Domestic/sexual violence information

Note regarding Psychotherapy Notes: This authorization DOES NOT include permission to release psychotherapy notes. Under HIPAA, psychotherapy notes are defined as notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session that are kept separate from the rest of the medical record. Release of psychotherapy notes requires a separate authorization form.

VI. TIME LIMITATIONS AND EXPIRATION

This authorization will remain in effect: (Check one)

□ From the date of this authorization until: //______
□ Until the following event occurs: _________________________
□ For one (1) year from the date of signature below
□ Until the purpose of the disclosure is fulfilled
□ Other (specify): _______________________________________

VII. YOUR RIGHTS REGARDING THIS AUTHORIZATION

A. Right to Revoke: I understand that I have the right to revoke this authorization, in writing, at any time by sending written notification to:

I understand that my revocation will not be effective to the extent that action has already been taken in reliance on this authorization, or if this authorization was obtained as a condition of obtaining insurance coverage and the law provides the insurer with the right to contest a claim under the policy or to contest the policy itself.

B. Right to Inspect or Copy: I understand that I have the right to inspect or copy the protected health information that may be used or disclosed pursuant to this authorization, as provided in the HIPAA Privacy Rule.

C. Right to Receive Copy: I understand that I have the right to receive a copy of this signed authorization.

VIII. REDISCLOSURE NOTICE

I understand that information disclosed pursuant to this authorization may be subject to redisclosure by the recipient(s) and may no longer be protected by federal or state privacy laws, including HIPAA. The healthcare provider, its employees, officers, and physicians are hereby released from any legal responsibility or liability for disclosure of the above information to the extent indicated and authorized herein.

IX. TREATMENT, PAYMENT, ENROLLMENT, OR ELIGIBILITY FOR BENEFITS

I understand that Name of Healthcare Provider/Organization _________________ may not condition my treatment, payment, enrollment in a health plan, or eligibility for benefits on whether I sign this authorization, except:

  1. If the authorization is for research-related treatment, in which case treatment may be conditioned on my signing this form;
  2. If the purpose of the authorization is to determine my eligibility for enrollment or underwriting; or
  3. If the authorization is solely for the purpose of creating protected health information for disclosure to a third party (such as pre-employment physicals or life insurance examinations).

X. POTENTIAL FOR FINANCIAL GAIN

□ I understand that Name of Healthcare Provider/Organization _________________ □ will □ will not receive direct or indirect compensation or remuneration from a third party in exchange for using or disclosing my health information.

XI. SPECIAL PROVISIONS

A. Substance Use Disorder Records (42 CFR Part 2 Compliance):
If this authorization includes the release of information related to substance use disorder diagnosis, treatment, or referral, I understand that such information is protected by federal confidentiality rules (42 CFR Part 2). These rules prohibit recipients from making any further disclosure of substance use disorder information unless further disclosure is expressly permitted by my written authorization or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any substance use disorder patient.

B. Research-Related Disclosures (if applicable):
□ This authorization is for research purposes. I understand the following:

  • Description of the research: _________________________
  • Potential risks and benefits: _________________________
  • My right to refuse participation without affecting my care: _________________________

C. Marketing-Related Disclosures (if applicable):
□ This authorization is for marketing purposes. I understand the following:

  • Description of marketing activity: _________________________
  • Whether the provider will receive financial remuneration: □ Yes □ No
  • My right to revoke specifically for this purpose: _________________________

XII. STATE LAW COMPLIANCE

I understand that my health information may be protected by state laws that provide more stringent protections than federal law. This authorization is intended to comply with all applicable state laws, including but not limited to laws regarding mental health, developmental disabilities, substance use disorders, communicable diseases, genetic information, and reproductive health.

XIII. PERSONAL REPRESENTATIVE INFORMATION (if applicable)

If this authorization is being signed by a personal representative of the patient:

Name of Personal Representative: _________________________
Relationship to Patient: _________________________________
Legal Authority: □ Parent of Minor □ Legal Guardian □ Power of Attorney for Healthcare □ Other (specify): _________________________

Documentation: I have attached the following documentation of my authority to act for the patient (check all that apply): □ Court Order □ Power of Attorney □ Guardianship Papers □ Other: _________________________

XIV. MINOR PATIENT PROVISIONS (if applicable)

For patients under 18 years of age:

A. Parental/Guardian Authorization:
I affirm that I am the parent or legal guardian of the minor patient named above and have legal authority to make healthcare decisions for this minor patient.

B. Special Provisions for Minor Consent Services:
I understand that in certain circumstances, minors may consent to their own healthcare services without parental consent as permitted by state law (such as reproductive health services, mental health services, substance use disorder treatment, or sexually transmitted infection testing/treatment). In such cases, the minor's authorization may be required for the release of those specific records.

XV. SIGNATURES

By signing below, I acknowledge that I have read and understand this authorization, and I authorize the use and/or disclosure of my protected health information as described in this document.

Patient Signature: _____________________________________
Date: //______
Time: : □ AM □ PM

OR

Personal Representative Signature: _______________________
Date: //______
Time: : □ AM □ PM

XVI. WITNESS (if required by facility policy)

Witness Signature: ____________________________________
Witness Name (printed): _______________________________
Date: //______

XVII. INTERPRETER (if applicable)

Interpreter Signature: _________________________________
Interpreter Name (printed): ____________________________
Language Interpreted: ________________________________
Date: //______

FOR HEALTHCARE PROVIDER USE ONLY

Authorization Received by: ____________________________
Verification Method: _________________________________
Date Processed: //______
Medical Record Updated: □ Yes □ No
Authorization Scanned into Record: □ Yes □ No
Patient/Representative Provided Copy: □ Yes □ No

Washington Dc Requirements for HIPAA Authorization

Federal HIPAA Privacy Rule (45 CFR § 164.508)

The authorization must comply with the HIPAA Privacy Rule (45 CFR § 164.508) which establishes national standards to protect individuals' medical records and other personal health information by requiring appropriate safeguards and setting limits on uses and disclosures without patient authorization.

Core Elements Requirement (45 CFR § 164.508(c)(1))

The authorization must contain the core elements specified in federal regulations, including a description of the information to be disclosed, the person(s) authorized to make the disclosure, the person(s) to whom disclosure may be made, an expiration date, and the signature of the individual.

Required Statements (45 CFR § 164.508(c)(2))

The authorization must include required statements about the individual's right to revoke the authorization in writing, the ability or inability to condition treatment on the authorization, and the potential for information to be redisclosed by the recipient and no longer protected by the Privacy Rule.

Plain Language Requirement (45 CFR § 164.508(c)(3))

The authorization must be written in plain language that is understandable to the average person, avoiding complex legal or medical terminology when possible.

DC Mental Health Information Act (D.C. Code § 7-1201.01 et seq.)

For mental health information in Washington DC, the authorization must comply with the DC Mental Health Information Act which provides additional protections for mental health records beyond HIPAA requirements.

DC HIV/AIDS Privacy Protection (D.C. Code § 7-1605)

For HIV/AIDS information, the authorization must specifically mention HIV/AIDS information disclosure as DC law provides heightened protection for HIV/AIDS-related information requiring specific authorization.

DC Substance Use Disorder Information (D.C. Code § 7-1201.02)

For substance use disorder information, the authorization must comply with both HIPAA and DC's substance abuse treatment confidentiality provisions which may require additional specific consent language.

Prohibition on Combined Authorizations (45 CFR § 164.508(b)(3))

The authorization cannot be combined with any other document to create a compound authorization except under specific circumstances outlined in federal regulations.

Copy Provision Requirement (45 CFR § 164.508(c)(4))

The covered entity must provide a copy of the signed authorization to the individual when obtained, as required by federal regulations.

DC Electronic Signature Compliance (D.C. Code § 28-4901 et seq.)

If using electronic signatures, the authorization must comply with DC's Uniform Electronic Transactions Act which governs the legal effect of electronic signatures in the District.

Genetic Information Protection (42 USC § 2000ff et seq.)

For genetic information disclosure, the authorization must comply with GINA (Genetic Information Nondiscrimination Act) protections and specifically mention genetic information if it is to be disclosed.

Psychotherapy Notes Special Authorization (45 CFR § 164.508(b)(3)(ii))

For psychotherapy notes, a separate and specific authorization is required that cannot be combined with authorizations for other types of health information.

Marketing Disclosure Requirements (45 CFR § 164.508(a)(3))

If the disclosure is for marketing purposes, the authorization must state if the disclosure will result in remuneration to the covered entity from a third party.

DC Consumer Protection Procedures Act (D.C. Code § 28-3901 et seq.)

The authorization must not contain deceptive or unfair terms as prohibited by DC's Consumer Protection Procedures Act, which protects consumers against unfair or deceptive trade practices.

Minors' Health Information (D.C. Code § 7-1202.01)

For minors' health information in DC, the authorization must comply with DC's laws regarding minors' consent and confidentiality, which in some cases allow minors to control disclosure of certain health information.

42 CFR Part 2 Compliance (42 CFR Part 2)

For substance use disorder treatment records from federally-assisted programs, the authorization must comply with the stricter federal requirements of 42 CFR Part 2, which provides additional protections beyond HIPAA.

DC Health Information Exchange Provisions (D.C. Code § 7-731 et seq.)

If the information will be shared through DC's health information exchange, the authorization must comply with DC's specific regulations governing the health information exchange.

Revocation Process Specification (45 CFR § 164.508(c)(2)(i))

The authorization must specify the process for revocation, including to whom and how the revocation should be submitted, in accordance with both federal and DC requirements.

DC Patient Record Confidentiality (D.C. Code § 44-801 et seq.)

The authorization must comply with DC's Patient Record Confidentiality Act which provides additional protections for patient records in the District beyond federal requirements.

HITECH Act Compliance (42 USC § 17935)

The authorization must comply with the HITECH Act provisions regarding electronic health records and the expanded rights of individuals to restrict certain disclosures.

Frequently Asked Questions

A HIPAA Authorization is a detailed permission form that allows healthcare providers to disclose your protected health information (PHI) to specific individuals or organizations. This document must contain several key elements to be valid: a description of the information to be shared, who can disclose the information, who can receive it, an expiration date or event, the purpose of the disclosure, your signature, and the date. Unlike the general consent forms you sign at medical offices, a HIPAA Authorization gives you granular control over exactly what information is shared and with whom.

Even if you're married, your spouse doesn't automatically have the right to access your medical information under HIPAA privacy rules. A HIPAA Authorization ensures your spouse can communicate with your healthcare providers, access your medical records, and make informed decisions about your care if you're unable to do so. For married couples with children, it's also important to have HIPAA Authorizations for minor children once they become teenagers, as certain sensitive health information may be protected even from parents in some states.

Yes, single individuals without children may have an even greater need for a HIPAA Authorization. Without a spouse or adult children to advocate for you, it's crucial to designate trusted friends, siblings, or other relatives who can access your medical information in an emergency. Without a HIPAA Authorization in place, doctors may be unable to share your medical information with anyone, potentially leaving you without an advocate during a health crisis.

High net worth individuals often have complex financial and estate planning arrangements that can be affected by health conditions. A HIPAA Authorization can allow your financial advisors, trustees, or estate planning attorneys to receive necessary medical information to properly manage your affairs if you become incapacitated. Additionally, it provides an extra layer of privacy protection by specifically limiting who can access your sensitive health information, which may be particularly important for individuals with significant public profiles or privacy concerns.

While related, these documents serve different purposes. A healthcare power of attorney (or healthcare proxy) appoints someone to make medical decisions on your behalf if you're unable to do so. A HIPAA Authorization, on the other hand, simply allows healthcare providers to share your medical information with designated individuals—it doesn't grant decision-making authority. For comprehensive protection, most estate planning attorneys recommend having both documents as part of your healthcare planning.

Yes, one of the key benefits of a HIPAA Authorization is that you can be very specific about what information can be disclosed. You can limit the authorization to certain conditions (like only sharing information about a specific diagnosis), certain time periods, or certain types of records. For example, you might authorize sharing of your general medical information but exclude mental health records, substance abuse treatment information, or genetic testing results.

A HIPAA Authorization must include an expiration date or expiration event. This could be a specific date (like one year from signing), the occurrence of an event (like 'until the conclusion of my cancer treatment'), or even 'end of the research study' for research-related authorizations. You can also revoke a HIPAA Authorization at any time by providing written notice to the healthcare provider or entity that originally received the authorization.

While many healthcare providers have their own HIPAA Authorization forms, these are often limited in scope. For comprehensive protection as part of your estate planning, it's advisable to have a HIPAA Authorization drafted by an attorney who specializes in estate planning or healthcare law. This ensures the document will be properly integrated with your other advance directives and estate planning documents. Some estate planning software packages also include HIPAA Authorization templates, though these should be reviewed carefully to ensure they meet your specific needs.