HIPAA Release Forms: What the Law Actually Requires and What Most Practices Get Wrong
A patient calls your office and asks you to send their records to a new doctor. Simple enough, right? You pull the chart, fax it over, and move on with your day. Except that if you did not have a signed HIPAA authorization on file before you sent those records, you just committed a HIPAA violation. It does not matter that the patient asked you to do it. It does not matter that the receiving doctor is a legitimate provider. Verbal consent is not sufficient under the Privacy Rule for most disclosures outside of treatment, payment, and healthcare operations. You need a signed authorization — what most people call a HIPAA release form — and it needs to contain specific elements spelled out in federal regulation, or it is not valid even if the patient did sign it.
This is not a scare tactic. This is the reality of 45 CFR 164.508, and it trips up practices of every size, every day. Our HIPAA Release form is a standalone fillable PDF — not part of a larger intake set — built specifically to meet these requirements.
What a HIPAA release actually is
A HIPAA authorization (the formal term) is a patient's written permission for a covered entity to use or disclose their protected health information for a purpose that is not already permitted under the Privacy Rule. That last part is important. You do not need a signed authorization to share a patient's records with another provider for treatment purposes, or to submit a claim to their insurance company, or to conduct your own internal quality reviews. Those uses are already permitted under what HIPAA calls "treatment, payment, and healthcare operations" — or TPO.
What you do need an authorization for is everything else. Sending records to the patient's attorney. Releasing records to an employer. Disclosing information to a life insurance company. Providing records to a family member who is not the patient's personal representative. Releasing records for marketing purposes. Any use or disclosure that falls outside TPO requires the patient's signed, written authorization, and that authorization must contain specific elements to be valid.
The six required elements under 45 CFR 164.508
The Privacy Rule does not leave this to guesswork. A valid authorization must include all of the following:
1. A specific description of the information to be disclosed. "All medical records" is technically acceptable in most circumstances, but it is better practice to specify what is being released — office visit notes, lab results, imaging reports, mental health records, substance abuse records. The more specific the description, the more likely the authorization will withstand scrutiny if it is ever challenged. Some categories of information, like substance abuse records (42 CFR Part 2) and psychotherapy notes, require separate or more specific authorizations.
2. The name or class of persons authorized to make the disclosure. This is who is releasing the records — your practice, your hospital, your lab. It needs to be specific enough that there is no ambiguity about who is being asked to disclose.
3. The name or class of persons to whom the disclosure may be made. Who is receiving the records? "Dr. Sarah Martinez at Valley Orthopedics" is specific. "Any healthcare provider" is a class. Both are acceptable, but the more specific the recipient, the narrower the authorization — and narrower is generally better for the patient's protection.
4. A description of the purpose of the disclosure. Why are these records being released? Transfer of care, legal proceeding, insurance application, disability determination, patient's own request. "At the request of the individual" is acceptable as a purpose when the patient simply wants copies of their own records.
5. An expiration date or expiration event. The authorization cannot be indefinite. It must state either a specific date on which it expires or an event that triggers expiration — "upon resolution of the legal case" or "one year from the date of signature" are both common. An authorization with no expiration is defective. This is one of the most commonly missing elements on template HIPAA releases found online, and its absence makes the entire authorization invalid.
6. The individual's signature and date. The patient (or their personal representative) must sign and date the authorization. If a personal representative is signing, the authorization must describe their authority to act for the individual — parent of a minor, healthcare power of attorney, court-appointed guardian.
Beyond these six, the authorization must also include three required statements: that the individual has the right to revoke the authorization in writing, that the covered entity may not condition treatment or payment on the authorization (with limited exceptions), and that information disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and may no longer be protected by HIPAA.
When you actually need one
The situations that require a HIPAA release come up more often than most practices realize:
Records to attorneys. Whether it is the patient's own attorney in a personal injury case or a defense attorney requesting records pursuant to litigation, a signed authorization is required. Subpoenas are a separate issue — a subpoena may or may not require an authorization depending on the jurisdiction and the type of subpoena, but the safe default is to require one unless your legal counsel tells you otherwise.
Records to employers. A patient's employer has no right to their medical records, period, unless the patient authorizes the disclosure. Even for a workplace injury or fitness-for-duty evaluation, the release should specify exactly what information the employer will receive. An employee authorizing their doctor to tell their employer "they can return to work with no restrictions" is not the same as authorizing the release of their entire medical record.
Records to insurance companies outside the claims process. Health insurance claims processing is a TPO activity and does not require a separate authorization. But life insurance applications, long-term care insurance underwriting, and disability insurance claims are not TPO — they require an authorization.
Patient requesting their own records. This surprises people, but yes, while patients have a right to access their records under HIPAA, the practice can ask the patient to submit a written request. Many practices use a simplified authorization form for patient self-requests. The patient's right to access exists independently of any authorization, but having a written request on file protects the practice by documenting what was released and when.
Common mistakes that make the form invalid
The most frequent defects we see on HIPAA release templates — including ones downloaded from seemingly reputable sources:
No expiration date. An authorization without an expiration date or event is invalid under the Privacy Rule. A practice that discloses records pursuant to an expired or undated authorization has committed a HIPAA violation, even though the patient signed the form. Always include an expiration, and check the date before disclosing.
Missing right-to-revoke language. The patient must be told, on the form, that they can revoke the authorization in writing at any time, and that revocation does not apply to disclosures already made in reliance on the authorization before the revocation was received. This statement is not optional. Omitting it makes the authorization defective.
Authorization that is too broad. An authorization that says "release all records to anyone for any purpose" may technically contain the required elements, but it does not serve the patient well and may not survive regulatory scrutiny. Best practice is to be as specific as reasonably possible about what is being released, to whom, and why.
Combining psychotherapy notes with other records. Psychotherapy notes — specifically, the therapist's personal process notes as defined under HIPAA, which are separate from the medical record — require their own standalone authorization. An authorization that covers psychotherapy notes cannot be combined with an authorization for other protected health information. If your practice involves behavioral health, you need two separate forms.
HIPAA release vs. consent for treatment
These are different documents that serve different purposes, and practices sometimes confuse them. A consent for treatment is the patient's agreement to receive care. It has nothing to do with the release of records. A HIPAA acknowledgment (often called a "Notice of Privacy Practices" acknowledgment) is the patient's confirmation that they received your practice's privacy notice. It is not an authorization to disclose their records to third parties.
A HIPAA release is specifically about who can see the patient's information and for what purpose. It is narrower, more specific, and has required elements that the other two documents do not. Using a consent-for-treatment form as if it were a HIPAA authorization is a compliance gap that auditors will find. For a broader discussion of how HIPAA requirements affect patient intake forms across specialties, see our HIPAA-compliant intake forms guide.
Storing and tracking signed authorizations
A signed HIPAA release is a legal document. Treat it like one. Keep the original (or a scanned copy) in the patient's chart. Log the date it was signed, the date it expires, who the records were released to, what was released, and when the disclosure was made. If the patient revokes the authorization, log the revocation date and ensure no further disclosures are made under that authorization.
This tracking matters because HIPAA requires covered entities to maintain records of certain disclosures — an "accounting of disclosures" — and the patient has the right to request that accounting. If you cannot show when a disclosure was made, under what authorization, and to whom, you have a documentation problem that becomes a compliance problem.
Many practices keep a disclosure log — a simple spreadsheet or database entry for each release of records — separate from the chart. This makes it easy to pull an accounting when a patient requests one and easy to identify authorizations that are approaching their expiration date.
Practices that deal with records requests frequently — personal injury clinics, occupational health offices, behavioral health providers — should build this tracking into their workflow rather than treating each records request as a one-off event. A general medical intake form that includes HIPAA acknowledgment is a starting point, but the HIPAA release is a standalone document that exists independently of the intake process.
Related Forms You Might Need
- Acupuncture — $19.99
- Chiropractic — $19.99
- Dental — $19.99
HIPAA Release Form — $14.99
Standalone fillable PDF. All required elements under 45 CFR 164.508, including right to revoke, expiration, and re-disclosure notice.
View HIPAA Release Form