What is a HIPAA Medical Release Form?

A HIPAA medical release form is an authorization form required by the Health Insurance Portability and Accountability Act (HIPAA) when a covered health plan or healthcare provider uses or discloses Protected Health Information for a purpose not required or permitted by the HIPAA Privacy Rule.

One of the objectives of the Health Insurance Portability and Accountability Act is to protect the privacy of individually identifiable health information when it is collected, received, maintained, or transmitted by a Covered Entity (generally a health plan, health care clearinghouse, or health care provider) or a Business Associate providing a service to or on behalf of a Covered Entity. 

The Act achieves this objective by limiting uses and discloses of Protected Health Information (PHI) to those “required” or “permitted” by the HIPAA Privacy Rule. Any use or disclosure of PHI beyond those required or permitted by the Privacy Rule has to be supported by a HIPAA medical release form signed by the subject of the information being disclosed or their personal representative.

Required Uses and Disclosures

In the Administrative Simplification Regulations, there are only two scenarios in which a use or disclosure of PHI is required – when access is requested by the Department of Health and Human Services (HHS), or when an individual exercises their HIPAA rights to request a copy of their PHI or an Accounting of Disclosures to see who their PHI has been disclosed to and what for.

However, in most states, local laws require healthcare providers to report injuries related to child abuse or neglect, while some states also require injuries related to domestic violence to be reported. The Privacy Rule permits uses and disclosures required by law under §164.612 – “Uses and disclosures for which an authorization or opportunity to agree or object is not required”.

Permissible Uses and Disclosures

Permissible uses and disclosures of PHI include for treatment, payment, and healthcare operations purposes – but there are conditions attached. For example, a covered healthcare provider can only disclose PHI to another covered healthcare provider for treatment purposes if there is a patient-related “treatment relationship” between the two providers. 

Similarly, in all disclosures except those for treatment, the Minimum Necessary standard applies. This means that regardless of whether a disclosure is related to an eligibility check, a report of domestic violence, or an OSHA-mandated accident report, only the necessary amount of information required to achieve the purpose of the disclosure must be disclosed.

When is a HIPAA Medical Release Form Required?

Examples of when a HIPAA medical release form is required include when a health plan wants to use the PHI of a plan member in a marketing campaign (either its own or a third party´s campaign), or when a hospital wants to use a patient´s psychiatry notes for a purpose other than treatment, training, or litigation – as these uses of psychiatry notes are permitted.

However, Covered Entities need to be aware of other scenarios in which a HIPAA medical release form is required. For example, in 2016, the New York Presbyterian Hospital allowed a TV crew to film two identifiable patients without obtaining the patients´ authorizations in advance. The Hospital was fined $2.2 million by HHS´ Office for Civil Rights for a violation of the HIPAA Privacy Rule.

What to Include in a HIPAA Medical Release Form

The Privacy Rule lists the core elements that must be included in a HIPAA medical release form in §164.508(c).However, these core elements are the minimum required to satisfy HIPAA standards and it may be necessary to produce a more comprehensive HIPAA medical release form for specific use cases, types of disclosure, or to satisfy state privacy and security regulations.

Whatever elements are included in a HIPAA medical release form, it is important the subject of the PHI to be used or disclosed gives their informed consent. Consequently, the form must be plainly written and in a language the individual understands. Once signed, the HIPAA medical release form must be maintained for a minimum of six years from the date on which it last applied.

Download Medical Release Form
(Word document, 21Kb)

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA