A HIPAA release form is a written authorization that permits a HIPAA Covered Entity to use or disclose specified protected health information to a named recipient or class of recipients for a stated purpose and within a defined timeframe when the HIPAA Privacy Rule does not otherwise permit or require the use or disclosure.
The term is commonly used to describe a HIPAA Privacy Rule authorization under 45 CFR 164.508. A release form is different from general consent for treatment and different from routine disclosures permitted for treatment, payment, and healthcare operations. When a disclosure falls within a permitted category under the HIPAA Privacy Rule, a release form is not required, though organizations may document disclosures under their internal policies when appropriate.
A valid release form must contain the authorization elements required by the HIPAA Privacy Rule. The form must describe the information to be used or disclosed in a meaningful way, identify the covered entity or person authorized to make the disclosure, and identify the person or entity authorized to receive the information. The form must state the purpose of the requested use or disclosure. The form must include an expiration date or an expiration event tied to the individual or the purpose of the disclosure.
The form must also include required statements about the individual’s right to revoke the authorization in writing and how revocation is submitted, subject to limited exceptions for actions already taken in reliance on the authorization. The form must address whether treatment, payment, enrollment, or eligibility may be conditioned on signing, and must state any consequences of refusing to sign when conditioning is permitted under the HIPAA Privacy Rule. The form must include a statement that information disclosed under the authorization may be subject to redisclosure by the recipient and may no longer be protected by the HIPAA Privacy Rule. The form must be signed and dated by the individual or by the individual’s personal representative, and when signed by a representative the form must describe the representative’s authority to act.
A release form is often used for disclosures to third parties outside routine healthcare operations. Common uses include sending records to an attorney or insurance carrier not acting as a health plan for payment, releasing information to an employer for employment-related purposes not otherwise permitted, or disclosing information to a school or other organization when no HIPAA Privacy Rule permission pathway applies. Uses and disclosures of psychotherapy notes usually require an authorization unless an exception applies. A release form is also used when a disclosure is requested by a third party and the covered entity cannot rely on another HIPAA Privacy Rule permission basis.
A release form is not the correct tool for an individual’s right of access. When an individual requests access to protected health information in a designated record set, the covered entity should process the request under the HIPAA Privacy Rule access requirements rather than requiring a HIPAA authorization. A release form may be used when the individual directs the covered entity to send records to a third party, depending on the organization’s access workflow and the type of request being processed.
Operational controls support compliant release processing. Staff should verify identity and confirm that the requester matches the authorized recipient. Disclosures should match the scope of the authorization, and the organization should apply the HIPAA Minimum Necessary Rule when it applies. Release processes often involve vendors that provide records fulfillment, secure messaging, electronic forms, or cloud storage, and a Business Associate Agreement is required when a vendor creates, receives, maintains, or transmits protected health information on behalf of the covered entity.