A HIPAA release form is required only when a HIPAA Covered Entity or Business Associate plans to use or disclose protected health information for a purpose that is not otherwise permitted or required by the HIPAA Privacy Rule and the disclosure cannot be supported by another HIPAA Privacy Rule permission pathway.
A HIPAA release form is commonly a HIPAA Privacy Rule authorization. An authorization is written permission from the individual or the individual’s personal representative that allows a covered entity to disclose protected health information to a specified recipient for a stated purpose. A release form is not required for many routine disclosures because the HIPAA Privacy Rule permits uses and disclosures for treatment, payment, and healthcare operations without an authorization, subject to applicable conditions.
A release form is required for certain categories of use and disclosure that the HIPAA Privacy Rule ties to authorization. Uses and disclosures of psychotherapy notes generally require authorization unless a specific exception applies. Disclosures that constitute a sale of protected health information require authorization and the authorization must state that the disclosure will result in remuneration. Uses or disclosures for marketing often require authorization, subject to defined exceptions.
A release form is not the mechanism for an individual to obtain access to records. The HIPAA Privacy Rule gives individuals a right of access to protected health information in a designated record set, and covered entities should use an access request process rather than an authorization process when an individual requests their own information.
A valid authorization must include required elements and be limited in scope. It must describe the information to be disclosed, identify who may disclose the information, identify who may receive it, and state the purpose. It must include an expiration date or expiration event and statements addressing the right to revoke and limits on conditioning. It must be signed and dated by the individual or the personal representative with a description of the representative’s authority when applicable.
Release workflows also require operational safeguards. Staff should verify identity and confirm the requester matches the authorized recipient. Disclosures should match the scope of the authorization and apply the HIPAA Minimum Necessary Rule when it applies. If a vendor handles protected health information as part of the release process, a Business Associate Agreement is required before protected health information is shared.
What the Regulations Say About HIPAA Release Forms
45 CFR 164.508(a)(1) and 45 CFR 164.508(c)(1) are relevant because they establish when a HIPAA authorization is required and the minimum elements that make a release form valid. The regulation states “Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section.” The regulation also states “A valid authorization under this section must contain at least the following elements” and includes “A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion” and “An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure” and “Signature of the individual and date.” This wording is relevant because it defines when a release form is required and what content is required for validity.
45 CFR 164.506(a) and 45 CFR 164.506(c)(1) are relevant because they describe uses and disclosures that do not require an authorization. The regulation states “Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) through (4) or that are prohibited under § 164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations.” The regulation also states “A covered entity may disclose protected health information for treatment activities of a health care provider.” This wording is relevant because it identifies common situations where a release form is not required.
45 CFR 164.524(a)(1) and 45 CFR 164.524(b)(1) are relevant because they establish the individual right of access, which is distinct from a HIPAA authorization. The regulation states “Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set.” The regulation also states “The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set.” This wording is relevant because access requests can be processed under the right of access without using an authorization-based release form.