HIPAA Authorization Form: What It Is and How to Use One

What is a HIPAA authorization form?

A HIPAA authorization form, sometimes called a HIPAA release form, is a legal document that allows you to designate specific individuals who can access your protected health information and communicate with your healthcare providers on your behalf. This form serves as your written permission for medical professionals to share your health records, discuss your condition, and coordinate care with the people you trust most.

The form operates under the framework of the Health Insurance Portability and Accountability Act. The HIPAA privacy rule establishes strict protections for all medical information. Protected health information includes everything from basic medical records and test results to billing information and treatment plans. Under HIPAA regulations, healthcare providers legally can’t share protected health information with anyone, including immediate family members, without your explicit written authorization.

Other types of HIPAA documents

It's important to understand the distinction between different HIPAA-related documents. A "HIPAA authorization form," "HIPAA release form," and "medical records release form" are essentially the same document with different names. However, a "HIPAA consent form" typically refers to the general privacy notice you receive from healthcare providers, which is different from the specific authorization form that designates representatives.

HIPAA authorization vs. advance directive

While both documents are essential for healthcare planning, a HIPAA authorization form and an advance directive serve distinctly different purposes. A HIPAA authorization gives specific people the right to give and receive protected health information about you. For example, they can call the doctor to ask about a possible side effect of a drug you're taking or to let them know you're spiking a fever. They can also receive information about test results, prescriptions, billing, and health insurance claims.

In contrast, an advance directive goes one step further. In addition to giving the person you select the ability to communicate about your health with your doctor, this personal representative also has the right to make medical decisions on your behalf if you are unable to do so. If you're in a coma, for example, this document gives them the authority to make decisions such as discontinuing lifesaving treatment or agreeing to surgery for you.

For comprehensive healthcare planning, you typically need both documents. The HIPAA authorization ensures smooth communication and information flow, while the advance directive provides decision-making authority during incapacitation. Many people integrate both documents into their broader estate planning strategy alongside wills, power of attorney, and other essential legal documents.

Why is a HIPAA authorization form necessary?

HIPAA privacy rules create a protective barrier around your personal medical information, ensuring that only authorized individuals can access your health records or discuss your care with medical providers. HIPAA compliance applies to all healthcare providers, health maintenance organizations, insurance companies, and healthcare clearinghouses. It also applies to all relationships—spouses, adult children, and parents all need explicit authorization to access your protected health information.

A HIPAA authorization form allows the named individuals to speak to medical personnel about your care, condition, and treatment. Unless you provide specific authorization for them to communicate with your doctor, your healthcare provider won't talk to them on the phone, give them any updates about you, or even take information from them if they call on your behalf.

The scenarios covered under HIPAA regulations include dealing with insurance claims, coordinating care between multiple specialists, managing chronic conditions, or simply having a trusted family member handle routine medical communications. For elderly individuals or those with complex medical needs, having authorized representatives can significantly improve care.

How to complete a HIPAA authorization form

Creating a valid HIPAA authorization form requires careful attention to specific legal requirements and clear documentation of your preferences. The best way is to work with an estate planning attorney who understands HIPAA regulations. The process involves gathering necessary information, understanding your options, and ensuring the form meets all HIPAA compliance standards.

1. Identify the patient and authorized representatives

Start by clearly identifying yourself as the patient. The document should state it is a HIPAA privacy authorization form and include your name, date of birth, and current address. This information must match exactly what appears in your medical records to avoid confusion and delays.

Next, list each person you want to authorize to access your protected health information. Include their full legal names, relationship to you, and current contact information. Be specific about each individual rather than using general terms like "family members" or "immediate relatives," as healthcare providers need explicit identification of authorized persons.

2. Specify the scope of information to be released

The form should indicate that you authorize all medical providers and servicers to use and disclose protected health information from and to the person or people you name in the form as your personal representatives. You can authorize all medical information, or you can create exceptions, such as for mental health records, communicable diseases (such as HIV), or alcohol or drug abuse.

Consider your comfort level with different types of protected health information and the specific needs of your authorized representatives. For example, if someone is helping coordinate your general medical care, they may need access to most information, while someone handling only insurance matters might need more limited access.

3. Define the purpose of disclosure

Clearly state why you're authorizing the release of your protected health information. Common purposes include coordinating medical care, handling insurance claims, managing billing matters, or facilitating communication between family members and healthcare providers. Being specific about the purpose helps healthcare providers understand the appropriate scope of information sharing.

4. Set the duration and expiration terms

Next, establish how long your authorization will remain valid. The form should give a start and end date or indicate that it applies to past, present, and future dates. HIPAA regulations also let you choose when you want the document to expire. Many HIPAA authorization forms use a two-year expiration date.

Consider whether you want the authorization to automatically renew or require active renewal. Some people prefer shorter terms that require regular review, while others opt for longer periods to reduce administrative burden.

5. Include required legal elements

Ensure your form includes all elements required under HIPAA regulations, including:

• A description of the protected health information to be disclosed
• Specific identification of who can disclose and receive the information
• The purpose of disclosure
• An expiration date
• Your signature with the date

The form must also include a statement about your right to revoke the authorization and information about whether treatment can be conditioned on signing the authorization. Include clear language explaining that information disclosed under this authorization may be subject to re-disclosure by the recipient.

6. Sign and distribute the form

Sign and date the form in the presence of a witness if required by your state. Make multiple copies of the completed form—you'll need to provide copies to all healthcare providers and authorized representatives. Keep the original for your records.

Distribute copies promptly to ensure all relevant parties have current authorization. Bring a copy whenever you visit new healthcare providers or facilities, as they'll need to have the authorization on file before sharing any protected health information with your representatives.

7. Update or revoke as needed

You maintain complete control over your HIPAA authorization and can modify or revoke it at any time. You should update your HIPAA authorization form whenever your preferences or situation change, such as the passing of your spouse or a new family member tending to your care.

To revoke authorization, provide written notice to all healthcare providers and authorized representatives who received copies of the original form. When updating your authorization, create a new form rather than trying to modify the existing one. Clearly indicate that the new authorization supersedes all previous versions, and collect and destroy old copies when possible to avoid confusion.

Tips for ensuring your form is HIPAA-compliant

• Use clear, unambiguous language throughout the form to avoid confusion about your intentions.
• Avoid vague terms like "family members" or "medical information" without specific definitions. Instead, name specific individuals and clearly describe what information can be shared.
• Review your state's specific requirements, as some states have additional rules beyond federal HIPAA requirements.
• Certain states may require notarization, specific language, or additional disclosures for the authorization to be valid.
• Common mistakes include failing to update the form when circumstances change, using outdated forms that don't meet current legal requirements, or creating authorizations that are too broad or too narrow for your actual needs.
• Regularly review and update your authorization to ensure it continues to meet your needs and remains legally valid.

Using HIPAA release forms in estate planning

HIPAA authorization forms work alongside other essential estate planning documents like advance directives, power of attorney, and living wills to create a framework for healthcare decision-making. This comprehensive approach provides peace of mind for both you and your family members, knowing that all necessary legal frameworks are in place.

When incorporated into estate planning, HIPAA authorization forms typically designate the same individuals who hold your medical power of attorney or serve as healthcare proxies. This alignment ensures consistent communication and decision-making authority, reducing potential conflicts or confusion during medical crises.

The timing of HIPAA authorization within estate planning is crucial. Unlike some estate planning documents that primarily activate upon incapacitation or death, HIPAA authorizations take effect immediately upon signing, providing ongoing benefits for routine medical management while also serving long-term estate planning goals.

HIPAA authorization form FAQs

What information must a HIPAA authorization form include?

A valid HIPAA authorization form must include a clear description of the protected health information to be disclosed, identification of the person or entity authorized to make the disclosure, identification of the person or entity receiving the information, and a specific description of the purpose for the disclosure.

The form must also include an expiration date or event, your signature and date, and a statement of your right to revoke the authorization. Additionally, it must include information about whether treatment, payment, enrollment, or eligibility for benefits can be conditioned on your signing the authorization.

How long does a HIPAA authorization last?

The duration of a HIPAA authorization depends on what you specify in the form. You can set a specific expiration date, tie the expiration to a particular event, or create an authorization that remains valid indefinitely until revoked. Many healthcare providers and legal experts recommend setting a specific timeframe, typically one to two years, to ensure regular review and updates.

Can I revoke a HIPAA authorization?

Yes, you can revoke a HIPAA authorization at any time by providing written notice to the healthcare provider or entity that received the original authorization. The revocation takes effect immediately upon receipt, but it won’t cover actions already taken or medical history that has already been revealed.

Who can sign a HIPAA authorization form for a minor or incapacitated person?

Parents or legal guardians typically have the authority to sign HIPAA authorization forms on behalf of their minor children. However, state laws vary regarding the age at which minors can make their own healthcare decisions and sign their own authorizations.

For incapacitated adults, the person holding legal guardianship or conservatorship generally has the authority to sign HIPAA authorizations. If no formal guardianship exists, state laws may allow certain family members to make healthcare decisions.

Does a HIPAA form allow decision-making, or just information sharing?

A HIPAA authorization form only grants the right to access and receive your protected health information—it does not provide decision-making authority. Your authorized representatives can communicate with healthcare providers, receive test results, and discuss your care, but they cannot make treatment decisions on your behalf. For decision-making authority, you need additional documents such as an advance directive or medical power of attorney.

Are there situations where a HIPAA release form is not needed?

HIPAA privacy rules include several exceptions where healthcare providers can share personal health information without specific authorization. These include treatment, payment, and healthcare operations, emergency situations where the patient cannot provide authorization, public health activities, and disclosures required by law.

Can I limit what information is shared?

Yes, you have complete control over what information your HIPAA authorization covers. You can authorize release of your complete medical record, or you can create specific limitations excluding certain types of information such as mental health records, substance abuse treatment records, HIV/AIDS information, or genetic testing results. You can also limit the authorization to specific time periods, particular healthcare providers, or certain purposes.

Complete your healthcare planning with LegalZoom

With LegalZoom's estate plan services, you can create a complete healthcare planning package that includes HIPAA authorizations alongside living wills, healthcare proxies, and other essential documents. This comprehensive approach provides peace of mind knowing that all aspects of your healthcare decision-making and information sharing forms are properly documented. And our streamlined process makes it easy to create, update, and maintain these critical documents as your needs and circumstances change over time.

Ready to protect your healthcare privacy and ensure your loved ones can access the information they need? Start your comprehensive estate plan with LegalZoom today and create HIPAA authorization forms that work seamlessly with your other essential legal documents.

Brette Sember, J.D., contributed to this article.