Medical Records Release Authorization Forms


A medical records release authorization form is a document that allows a person to disclose protected health information to a third party. A patient can also request their medical records not currently in their possession.

The document, also known as a “Health Insurance Portability and Accountability Act (HIPAA)” form, must satisfy the requirements listed under the 1996 Federal HIPAA Privacy Rule. If it does not adhere to the standards, the patient cannot use it to give or receive permission to release their medical records.

Protected health information – such as test results, diagnoses, medical histories, and other personally identifiable information – is confidential under the HIPAA Privacy Rule. The rule states that all covered entities (i.e., hospitals) must take every step necessary to keep a patient’s medical information private.

However, in some cases, a patient may wish to release this information to another entity or obtain it for personal use. The HIPAA release form (sometimes called “authorization”) explicitly states the content and manner in which medical facilities share health information.

Laws: Health Insurance Portability and Accountability Act (HIPAA) of 1996

HIPAA Forms: By State

Table of Contents

How to Fill Out a HIPAA Release Form

To fill out a HIPAA release form, a patient must choose the appropriate document. The form must allow them to request their personal health information (PHI) or grant a third party permission to release it. Depending on the form’s purpose, the individual can select a state-specific document or complete a generic template.

Each medical release document has fields that allow the person to explain the reason(s) for completing it. To ensure they have filled out the HIPAA release form correctly, they must enter the necessary information in the blanks provided and check the appropriate boxes. Once written, the sender must submit it to the required third party or entity by mail, fax, or email.

When filling out a HIPAA authorization form, include the following:

  • The patient’s name, date of birth, address, and phone number;
  • The name and contact information of the hospital or doctor who currently holds the patient’s medical records;
  • The name and contact information of the person or entity who will receive the medical records;
  • The purpose of the release (i.e., personal use, insurance, or legal purposes);
  • The date(s) of the service, treatment, test results, or other related health data;
  • The specific information to release (e.g., lab results, x-ray images, and operative reports);
  • The delivery method (i.e., mail, email, fax, or CD).

While there is no standard or universal form, the form must be HIPAA-compliant, meaning it meets all requirements to be considered legal and binding. Therefore, all HIPAA release forms must:

  • State the authorization is both completely voluntary, and the patient may revoke the permission at any time;
  • State there is a risk that the entity to whom the protected health information is released may disclose it without consent to someone else;
  • Use plain language that is easily understandable to the patient; and
  • Indicate an expiration date for the authorization.

What is the HIPAA Minimum Necessary Rule?

The HIPAA minimum necessary rule grants a recipient permission to distribute PHI only as requested by the patient. In other words, the entity can only view or send records authorized in a signed medical release form. The following example further explains the HIPAA minimum necessary rule:

Sally breaks her arm and visits a hospital to receive X-Ray scans. She authorizes the hospital to send her primary care physician a copy of the scans once available. Under HIPAA law, the hospital can only send the physician her X-Ray scans. The office staff cannot view or send any other PHI filed under Sally’s name. 

The law ensures the safety and confidentiality of a patient’s medical records. Employees who read or submit additional information break HIPAA laws, subjecting them to fines, criminal charges, and immediate job termination (§ 45 CFR 164.502(b), 164.514(d)).

Reasons for Completing a Medical Release Form

An individual completes a medical release form to give consent to a hospital, doctor, or other facilities so they can release the patient’s PHI to the individual or a third party. The document has great importance in the medical world since it has many purposes. Doctors can use it to determine a patient’s treatment, while insurance companies use it when billing individuals. The HIPAA Privacy Rule reassures the general public that unwanted parties do not access their medical files. At the same time, the release form ensures that the right people obtain, discuss, or review the patient’s information.

There are a variety of scenarios when HIPAA authorization is necessary. The following examples are common uses for a medical release form.

  • A person diagnosed with Alzheimer’s disease needs help managing appointments and medications.
  • An employee must release the results of a recent drug test to an employer.
  • A rehabilitation hospital wishes to showcase a person’s recovery in marketing campaigns.
  • A life insurance company needs access to an individual’s medical history to determine eligibility.

Each situation necessitates a HIPAA release form from the patient. Without a medical information release form, the patient and third party cannot send or receive the protected health information (PHI).

HIPAA Release Form Templates







Can a Spouse Sign a HIPAA Release Form?

No, a spouse cannot sign a HIPAA release form. According to HIPAA Privacy Rule 45 (§ CFR 164.510), a spouse, family member, or friend cannot sign a HIPAA release form for a patient. Instead, patients must complete and sign the HIPAA form on their own.

HIPAA Privacy Rule 45 exists to protect individuals from unwanted breaches in privacy. As a result, family members, including spouses, are blocked from retrieving their loved one’s medical information. There are no exceptions to this law. For example, if the patient becomes incapacitated and cannot sign a HIPAA release form, it does not give spouses or relatives the ability to access the health records.

However, the law allows spouses or family members to access the patient’s PHI if they have previously given them written authority. In other words, the individual must complete a document (such as a medical power of attorney) that assigns a loved one as their personal representative. The family member must present the signed form to the third party to complete or sign a medical information release.

Which Type of HIPAA Form is Best for Me?

Choosing the best type of HIPAA form is important to authorize an individual, medical professional, billing office, or insurance representative to release or view medical records. Patients should consider the recipient and the information required when selecting a template.

A state form is appropriate when communicating with a hospital or doctors’ office. On the other hand, generic templates are suitable when contacting insurance companies or billing staff. Regardless of the document type, the patient must include the requested details and signature(s).

Fillable HIPAA Release Forms







Frequently Asked Questions (FAQ)

The following list contains questions and answers for medical records release authorization forms. If the index does not include a specific topic or subject, reference local law to ensure that the HIPAA release form complies with the state’s requirements.

What is a HIPAA Release Form?

A HIPAA release form is a document that makes it possible for a person to obtain their own medical records or allow an entity to give the information to a third party. The purpose of a medical records release authorization is to provide the patient or third party with the PHI when treating the individual, determining payment, or handling other day-to-day billing operations.

How to Get a HIPAA Release Form

In some situations, the doctor or hospital requires that the patient complete a HIPAA authorization form that they only provide. For example, office staff can mandate that patients fill out a specific document to obtain their surgery procedure notes. However, in cases where the individual needs to create a generic HIPAA release document, they can download and print a template from online sources. Regardless of the format, the authorization often requires specific information to ensure that the person writing it requests or grants the desired permissions.

How Long is a HIPAA Release Good For?

A HIPAA release form is good until it reaches the expiration date set by the person who created the document. Setting a termination date prevents third parties or entities from accessing the information for a prolonged period. If the principal does not include an end date, it lasts indefinitely or until the individual completes a revocation form. Revoking the document means that the principal takes away the ability for another party to view, discuss, or release their PHI.

Do HIPAA Release Forms Need to be Notarized?

HIPAA release forms generally do not require signatures from Notary Publics. However, laws vary by state and medical facilities, so it is critical to reference local notarization requirements. The state often requires the individual granting authority to sign the medical release form. In some cases, a document requires a witness’ signature. Most commonly, a witness signs when an individual requests the release of PHI, such as HIV/AIDS, psychiatry or behavioral health, sexually transmitted diseases, or drug and alcohol abuse.

HIPAA Release Laws: By State

States can follow HIPAA laws or create their own rules for patient information. According to HIPAA, providers have thirty (30) days from a patient’s request to provide them with PHI. Certain states abide by this law; however, others have modified the amount of time required.

The table below lists the number of days the provider has after the “request date” to issue the patient their medical records. The abbreviation “N/A” represents states that do not have release statutes or use language such as “within a reasonable time frame.”

AlabamaN/A§ 420-5-7-.05(5)(b)
AlaskaN/A§ 18.23.005
ArizonaN/A§ 32-3211
ArkansasN/A§ 16-46-106
CaliforniaInspect within 5 days; submit to the patient within 15 days.§ 123110

Hospitals: 10 days for discharged patients; 24 hours for inpatients.

Physicians: 30 days for patients.

§ 1011-1:II-5.2;
§ 25-1-802
Connecticut30 days§ 20-7C
Delaware45 days for patients; 14 days for patients who prepay.24 § 1761; 10 § 3926
FloridaN/A§ 395.3025; § 456.057
Georgia30 days.§ 31-33-2
HawaiiUpon request. If the provider fails to give the patient a copy, the patient and their attorney must submit an authorization (in which the provider has 10 days to provide medical documents to the patient).§ 622-57
Idaho30 days (HIPAA law).45 CFR § 164.524(b)(2)
Illinois30 days.735 § 5/8-2001
IndianaN/A§ 16-39-1-1
IowaN/A§ 653-13.7
Kansas30 days (HIPAA law)45 CFR § 164.524(b)(2)
Kentucky30 days (HIPAA law)45 CFR § 164.524(b)(2)
Louisiana15 days.§ 40:1165.1; § 40:2144
MaineN/A22 § 1711; 22 § 1711-B
Maryland21 days.§ 4-309
MassachusettsN/A111 § 70E
Michigan30 days.§ 333.26265
MinnesotaN/A§ 144.292
MississippiN/A§ 30-17-2635:10.4
MissouriN/A§ 191.227

Covered Entities: 30 days.

Non-Covered Entities: 10 days.

§ 50-16-541
NebraskaThe patient must be able to examine the records within 10 days. They must receive a copy within 30 days.§ 71-8403
NevadaUpon request.§ 629.061
New HampshireUpon request.§ 151:21; § 332-I:1
New Jersey30 days.§ 8.43G-4.1; § 13:35-6.5
New MexicoN/A§; §
New York10 days.§ 18
North CarolinaN/A (HIPAA law)45 CFR § 164.524(b)(2)
North DakotaUpon request.§ 23-12-14

Covered Entities: 30 days.

Non-Covered Entities: N/A

§ 3798.03; § 3701.74
OklahomaUpon request.76 § 19
Oregon30 days.§ 192.553; § 847-012-0000
PennsylvaniaUpon request (unless the entity is an osteopathic physician). Osteopathic physicians must provide patients with records within a “reasonable” timeframe.28 § 115.29; § 25.213.
Rhode Island30 days (HIPAA law)45 CFR § 164.524(b)(2)
South Carolina45 days.§ 44-7-325
South DakotaUpon request.§ 36-2-16

Physicians: 10 working days.

Hospitals: Upon request.

§ 63-2-101; § 68-11-304
Texas15 business days.§ 241.154; § 181.102
Utah30 days (HIPAA law)45 CFR § 164.524(b)(2)
Vermont30 days (HIPAA law)45 CFR § 164.524(b)(2)
Virginia15 days.§ 32.1-127.1:03; § 54.1-2403.3
Washington15 working days.§ 70.02.080
West VirginiaN/A§ 16-29-1
WisconsinN/A§ 146.83

Hospital: 10 days.

Physician: 30 days.

§ 35-2-611

052-3 § 3-4

Key Takeaways

By default, an individual’s protected health information remains private from those not directly involved in their medical care or treatment, including spouses and family members. An individual who releases their PHI does so at their discretion. When situations require the release of medical records, begin by compiling the necessary information and researching the state or medical facility’s policies. As long as HIPAA authorization forms are compliant with HIPAA’s rules, a person may use a template or generic document.