Authorization for Disclosure of Health Information (HIPAA Release): Form Template & Step-by-Step Instructions

HIPAA Authorization Form Overview

An Authorization for Disclosure of Health Information is a written permission that allows a healthcare provider or health plan to share your Protected Health Information (PHI) with a specific person or organization for a defined reason. It is separate from consent to treat and is required when a disclosure is not otherwise permitted by law.

The form precisely identifies what will be shared, with whom, for what PHI Disclosure Purpose, and for how long. When properly completed, it helps you control your information while helping organizations maintain HIPAA Compliance.

Common uses include sending records to a family member or caregiver, an attorney, an insurer, a school, or an employer, or releasing records for research or personal copies you direct to a third party.

Required Elements of Authorization

A valid HIPAA authorization must be written in plain language and include these core elements and required statements:

• Description of the information: a specific, meaningful description of the PHI to be disclosed (for example, “office notes from 01/01/2024–12/31/2025,” “imaging reports,” or “billing records”).
• Who may disclose: the name or category of the person or entity authorized to make the disclosure (for example, “ABC Clinic and its workforce”).
• Who may receive: the name or category of the person or entity authorized to receive the PHI (for example, “XYZ Law Firm”).
• Purpose: the PHI Disclosure Purpose (for example, “ongoing care coordination,” “legal review,” or “insurance underwriting”).
• Expiration: a specific expiration date or an Authorization Expiration Event related to you or the purpose (for example, “one year from the date signed” or “end of litigation”).
• Signature and date: your signature (or that of a legally authorized personal representative) and the date signed, with the representative’s authority specified when applicable.

Mandatory statements that must appear

• Revocation notice: your right to revoke the authorization in writing at any time, and how to submit a Written Revocation.
• Conditioning statement: whether treatment, payment, enrollment, or eligibility for benefits is conditioned on signing (with limited exceptions allowed by law).
• Redisclosure notice: a statement that information disclosed to a non-HIPAA-regulated recipient may be redisclosed and may no longer be protected by HIPAA.

Recommended additions for clarity

• Contact information for the Privacy Office to receive questions and revocations.
• Options to include or exclude sensitive categories if required by law or policy (for example, mental health, substance use, HIV/AIDS, genetic testing).
• Preferred delivery method (paper, secure portal, encrypted email) and format (summary, abstracts, full record).

Validity Period and Expiration

Each authorization must state when it ends. You may choose a date or define an Authorization Expiration Event that is tied to the reason for disclosure, such as “end of claim,” “end of research study,” or “upon my Written Revocation.” Pick a duration that fits your needs and minimizes unnecessary risk.

After the expiration date or event occurs, the authorization cannot be used for new disclosures. Disclosures made before expiration remain valid. For long-running matters, renew the form rather than leaving it open longer than necessary.

Examples of clear expiration terms

• “Expires 12 months from signature date.”
• “Expires at the conclusion of the named court case.”
• “Expires when my employment with ABC Company ends.”
• “Expires upon my Written Revocation delivered to the Privacy Officer.”

Revocation Rights and Procedures

You may revoke an authorization at any time by submitting a Written Revocation to the provider’s or plan’s Privacy Officer. Revocation stops future disclosures but does not undo disclosures already made in reliance on the authorization.

How to revoke effectively

• Write a brief notice stating you revoke your “Authorization for Disclosure of Health Information” and include your name, date of birth, and contact information.
• Identify the original authorization’s date, the recipient, and the PHI involved, if known.
• Deliver it using the method specified on the form (for example, mail, secure portal, or in person) and keep proof of delivery.
• Ask for written confirmation that revocation was received and the date it took effect.

Revocation may not apply when the authorization was a condition of obtaining insurance coverage or where other laws require continued use or disclosure. In all other cases, revocation should be honored promptly.

Step-by-Step Completion Instructions

What you need before you start

• Exact names and contact details for the disclosing entity and the recipient.
• A concise description of the PHI to share and the PHI Disclosure Purpose.
• Your chosen expiration date or Authorization Expiration Event.
• Any documents proving representative status (for example, power of attorney or guardianship), if you sign for someone else.

Form Template

Authorization for Disclosure of Health Information (HIPAA Release)

Patient Name: __________________________  DOB: __________  Phone: ______________
Address: _________________________________________________________________

1) Disclosing Entity (Who may disclose):
   Name/Dept: __________________________  Phone: __________  Fax/Secure Email: __________
   Address: _________________________________________________________________

2) Recipient (Who may receive):
   Name/Org: ____________________________  Phone: __________  Fax/Secure Email: __________
   Address: _________________________________________________________________

3) Information to be Disclosed (be specific):
   __________________________________________________________________________
   Date Range (if applicable): __________ to __________

4) Purpose of Disclosure (PHI Disclosure Purpose):
   ☐ Continuing care  ☐ Legal review  ☐ Insurance  ☐ Personal use  ☐ Other: ____________

5) Expiration:
   Expires on (date): __________ OR upon (Authorization Expiration Event): ________________

6) Required Statements (acknowledge by initialing):
   _____ I understand I may submit a Written Revocation at any time as described below.
   _____ I understand treatment/payment/enrollment eligibility is not conditioned on signing,
         unless allowed by law and stated here: ______________________________________
   _____ I understand information disclosed to a non-HIPAA-regulated recipient may be
         redisclosed and may no longer be protected by HIPAA.

7) Delivery Instructions:
   Format: ☐ Paper ☐ Electronic (portal/encrypted email)   Pick-up/Send by: ______________

8) Sensitive Information (check to include if applicable and permitted):
   ☐ Mental/behavioral health  ☐ Substance use  ☐ HIV/AIDS  ☐ Genetic testing  ☐ STI/STD

Revocation: Send any Written Revocation to: Privacy Officer, __________________________
Address/Email: _____________________________________________________________

Signature of Patient/Representative: _______________________  Date: __________
If representative, authority to act (attach proof): __________________________________
Witness (if required): __________________________  Date: __________

How to complete your form

1. Identify the disclosing entity clearly, including department and contact details, so staff can locate your records quickly.
2. Name the recipient precisely. If a law firm or insurer is involved, include the specific office and claim or file number.
3. Describe the PHI narrowly. List document types and date ranges to limit disclosure to what you actually need.
4. State the PHI Disclosure Purpose in practical terms (“pre-surgical clearance,” “second opinion,” “defense of claim”).
5. Select an expiration date or define an Authorization Expiration Event that matches your use case.
6. Initial the required statements to confirm you understand revocation, conditioning limits, and redisclosure risks.
7. Indicate delivery method and format. Choose secure electronic options when available to reduce delay and cost.
8. Address any sensitive categories explicitly, following state or organizational rules before inclusion.
9. Sign and date. If you are a personal representative, state your authority and attach supporting documents.
10. Keep a copy of the signed authorization and any confirmations for your records.

Compliance and Legal Considerations

Organizations must maintain HIPAA Compliance by using plain-language forms, training staff on verification procedures, and honoring expirations and revocations. Keep signed authorizations and related documentation for at least six years from the date created or last in effect.

The HIPAA “minimum necessary” standard does not apply to disclosures made pursuant to a valid authorization; however, you should still disclose only what the authorization specifically permits. Do not condition treatment or benefits on signing unless a narrow exception applies and it is properly disclosed.

Validate the identity and authority of anyone requesting or receiving PHI, including personal representatives for minors or incapacitated adults. Consider additional federal or state protections for categories like substance use, mental health, HIV/AIDS, or genetic information before disclosing.

Electronic Signatures and State Requirements

Electronic signatures are generally acceptable if your process captures a valid signature and intent to sign and keeps an accurate record. Most healthcare entities rely on the ESIGN Act and the Uniform Electronic Transactions Act to support e-sign workflows, provided identity, consent, and record integrity are addressed.

Best practices include multi-factor authentication, time-stamped audit trails, clear consent to do business electronically, and secure delivery of signed copies. Maintain records in a form that can be accurately reproduced for later reference.

State requirements may add content or format rules, or impose special consent for sensitive information. Some states or situations may require a witness or additional disclosures, and certain categories of records may also be governed by other federal laws. Always confirm that your template and processes align with applicable state rules before use.

Summary

• Define exactly what PHI will be shared, with whom, why, and for how long.
• Include mandatory statements on revocation, conditioning, and redisclosure.
• Choose a clear expiration date or Authorization Expiration Event and keep copies.
• Use Written Revocation to stop future disclosures and verify receipt.
• When using e-signatures, follow ESIGN Act and Uniform Electronic Transactions Act principles and any state-specific requirements.

FAQs.

What information must be included in a HIPAA authorization form?

Your form must describe the specific PHI to be disclosed, identify who may disclose and who may receive it, state the PHI Disclosure Purpose, include an expiration date or Authorization Expiration Event, and contain your signature and date. It must also include statements about your right to Written Revocation, any conditioning limits, and the possibility of redisclosure.

How can an individual revoke a HIPAA authorization?

Send a Written Revocation to the provider’s or plan’s Privacy Officer using the method described on the form. Include your identifying details, the original authorization date or recipient, and a clear statement that you revoke permission. Revocation stops future disclosures but does not affect disclosures already made in reliance on the prior authorization.

Are electronic signatures valid for HIPAA authorization forms?

Yes, if the electronic signature process demonstrates intent to sign, reliably identifies the signer, and preserves an accurate record. Compliance frameworks commonly follow the ESIGN Act and the Uniform Electronic Transactions Act, along with any state-specific rules on consent and record retention.

Do HIPAA authorization requirements vary by state?

The federal core elements are consistent nationwide, but states may impose extra content, consent, or witnessing requirements, particularly for sensitive information. Always ensure your form satisfies both HIPAA and applicable state law before use or disclosure.