Checklist: How to Obtain Employee HIPAA Authorization to Disclose to Family

HIPAA Authorization Requirement

Before you disclose an employee’s protected health information (PHI) to a family member, confirm whether a HIPAA authorization is required. HIPAA applies to covered entities (health plans, most healthcare providers, and their business associates). If you, a plan administrator, or a provider will release PHI to a spouse, parent, or other relative for reasons outside routine care coordination, a written authorization is typically needed.

Authorization may not be required when a provider shares limited PHI with a person involved in the individual’s care or payment and the individual agrees, has the opportunity to object, or the provider uses professional judgment (for example, discussing discharge instructions with a spouse). Outside those narrow situations, patient confidentiality and disclosure restrictions mean you must obtain a valid, signed authorization.

• Confirm the disclosing party is a covered entity or business associate.
• Determine exactly what PHI the family member needs and why.
• If the purpose exceeds routine involvement-in-care scenarios, obtain written authorization first.

Authorization Form Elements

A valid authorization must include specific authorization form elements. Build or review your form against these requirements to ensure completeness and enforce disclosure restrictions that match the employee’s wishes.

Required core elements

• Description of the PHI to be disclosed (be specific—dates, types of records).
• Who is authorized to disclose the PHI (e.g., the hospital, clinic, or health plan).
• Who may receive the PHI (name of the family member or relation; include contact details if helpful).
• Purpose of the disclosure (e.g., care coordination, billing assistance).
• Expiration date or event (for example, “one year from signature” or “end of hospitalization”).
• Signature and date of the individual (or personal representative) with authority noted.

Required statements

• Revocation rights: the individual may revoke authorization in writing at any time.
• Any applicable conditioning: whether treatment, payment, enrollment, or eligibility is conditioned on signing (usually “no”).
• Re-disclosure notice: information disclosed may be re-disclosed by the recipient and may no longer be protected by HIPAA.

Best-practice additions

• Granular disclosure restrictions (e.g., “exclude mental health counseling notes,” “lab results only”).
• Preferred communication method (phone with passcode, secure portal, mail).
• Translator/interpreter acknowledgment if used.
• Space to list multiple authorized family recipients with separate scopes.

Authorization Form Availability

Make the form easy to obtain and complete. Offer it through your HR/benefits portal, patient portals, the plan website, or at the provider’s registration desk. Provide paper and electronic formats; electronic signatures are commonly accepted if identity can be verified.

Provide plain-language versions and, where feasible, translated forms. Include clear instructions on where to submit completed forms (privacy office, HIM department, plan administrator) and how long processing typically takes. Keep a copy accessible to the employee and store the official record securely.

Revocation of Authorization

Employees retain revocation rights and can withdraw consent at any time. Until revoked, the authorization governs ongoing disclosures within its scope and expiration period.

How to revoke

1. Submit a written revocation to the designated privacy contact listed on the form.
2. Include the employee’s name, date of birth or plan/member ID, the date of the original authorization, and the recipients to stop.
3. Request confirmation of processing and the effective date.

Revocation stops future disclosures but does not undo disclosures already made in reliance on the authorization. Notify affected departments and update systems and contact flags so staff do not disclose to the previously authorized family member going forward.

State Law Considerations

HIPAA sets baseline privacy protections, but more protective state-specific HIPAA regulations and privacy laws can apply. Some states require extra consent or special handling for sensitive categories such as mental health records, HIV/AIDS status, genetic test results, reproductive health, or substance use disorder records (which may also be subject to additional federal rules).

When state law is more stringent, follow that law. Your authorization form may need state-specific language or separate forms for certain data types. Always verify who qualifies as a personal representative under state law (e.g., guardians, agents under a healthcare power of attorney) before disclosing PHI to a family member claiming authority.

Steps to Obtain Authorization

1. Identify the disclosing entity and confirm HIPAA applicability (provider, health plan, or business associate).
2. Define the minimum PHI needed for the family member’s role, then tailor the scope on the form.
3. Select the correct form version (general, plan-specific, or state-tailored) and prefill known fields.
4. Explain the purpose, disclosure restrictions, expiration, and revocation rights in plain language.
5. Verify the employee’s identity and authority to sign (or the personal representative’s status).
6. Obtain signature and date; capture any passcodes or contact preferences for future disclosures.
7. Provide a copy to the employee; file the original securely and record the expiration date.
8. Flag the authorization in relevant systems and brief staff on permitted disclosures only.
9. When disclosing, release only what the authorization specifies and document the action (good practice even if not required for accounting).
10. Calendar renewal or revalidation before expiration, or earlier if the employee’s needs change.

Ensuring Compliance with HIPAA

Embed compliance standards into daily operations. Train workforce members on patient confidentiality, identity verification, scope limits, and how to handle family inquiries. Maintain role-based access, use secure channels for transmission, and keep completed forms for at least six years from their last effective date.

Use vendor due diligence and business associate agreements where appropriate. Remember, the minimum necessary standard does not apply to disclosures made pursuant to a valid authorization, but you should still limit disclosures to what the document permits. Enforce sanctions for violations and audit periodically to confirm that only authorized family members receive PHI.

Conclusion

Obtaining employee HIPAA authorization to disclose to family is straightforward when you confirm the need, use a form containing all required authorization form elements, respect revocation rights, account for state-specific requirements, and operationalize clear disclosure restrictions. Following this checklist helps you protect patient confidentiality while enabling families to support care and benefits decisions.

FAQs

What information must be included in a HIPAA authorization form?

At minimum, the form must specify the PHI to be disclosed, who is authorized to disclose it, who may receive it, the purpose, an expiration date or event, and the individual’s signature and date. It must also include statements about revocation rights, any conditioning (if applicable), and a re-disclosure notice. Adding granular limits and preferred contact methods further strengthens privacy.

How can an employee revoke HIPAA authorization?

The employee submits a written revocation to the privacy contact named on the form, identifying the original authorization and recipients to stop. Once processed, future disclosures cease; disclosures already made in reliance on the prior authorization remain valid. Request written confirmation and ensure system flags are updated.

Are there additional state laws affecting HIPAA disclosures to family?

Yes. Many states impose stricter rules for sensitive information such as mental health, HIV, genetic data, reproductive health, or substance use disorder records, and may define personal representative status differently. When state law is more protective than HIPAA, follow the state requirement and, if needed, use supplemental forms or language.

When can a healthcare provider disclose PHI without authorization?

Providers may share limited PHI with people involved in the individual’s care or payment when the individual agrees, has the chance to object, or the provider uses professional judgment (including emergencies or incapacity). Disclosures also may occur when required by law or for specific public health and safety purposes. Outside these situations, a written authorization is necessary.