Kaiser Permanente HIPAA: Your Privacy Rights, Authorization Forms, and How to Share Medical Records

Kaiser Permanente HIPAA policies are designed to protect your health information while making it easy to share records when you choose. This guide explains your patient privacy rights, how to complete a HIPAA authorization form, options for Health Information Exchange participation, and the Release of Information procedure for getting or sending records.

You will also learn how Substance Use Disorder privacy works, what counts as a protected health information disclosure, and when fees or waivers may apply under medical records access regulations. Use these steps to control your data with confidence and avoid delays.

HIPAA Authorization Form Requirements

Core elements you must include

• Patient identifiers: full name, date of birth, and additional details (such as medical record number) to match you correctly.
• Scope of the request: a specific description of the information (for example, visit dates, imaging, labs, billing) and the format you want (electronic or paper).
• Recipient and purpose: who will receive the records and why (treatment, personal use, legal, insurance, or other stated purpose).
• Expiration and revocation: a date or event when the authorization ends, plus notice that you can revoke in writing at any time before release.
• Signature and date: your signature or that of a personal representative, with documentation of authority if signed on your behalf.

A complete HIPAA authorization form avoids back-and-forth and speeds processing. If you want sensitive categories shared (such as psychotherapy notes, HIV information, or Substance Use Disorder privacy–protected records), you may need to specifically authorize those items.

Identity and representation

Expect identity verification. If a representative signs, Kaiser Permanente will require proof of authority (for example, durable power of attorney for health care, guardianship, or executor documents). Minors and emancipated minors have special rules that vary by state.

Tips to prevent delays

• List exact dates or a concise date range and note “all locations” if needed.
• Choose delivery method up front (portal download, encrypted email, USB/CD, or paper mail).
• Provide a direct phone and email for follow-up and indicate whether partial releases are acceptable while remaining items are gathered.

Health Information Exchange Participation

How HIE improves care

Through Health Information Exchange (HIE), your Kaiser Permanente clinicians can securely view key data from other participating organizations. This supports medication safety, reduces duplicate testing, and helps new providers understand your history in emergencies or when you travel.

Opt-in and Health Information Exchange opt-out

Participation is typically enabled to support coordinated care, but you control sharing. You may submit a Health Information Exchange opt-out request if you prefer not to send or receive data via HIE. Opting out limits HIE-based sharing but does not stop required reporting to public health or disclosures otherwise permitted by law.

What still gets shared

Even if you opt out of HIE, Kaiser Permanente may make protected health information disclosures for treatment, payment, and health care operations as allowed by HIPAA, as well as for public health, law, or patient safety requirements. You can re-enroll in HIE later if your preferences change.

Privacy Practices and Legal Protections

Your Patient privacy rights

• Access and copies: you can inspect or obtain copies of your records within HIPAA timelines under medical records access regulations.
• Amendments: you can request corrections or an addendum when something is inaccurate or incomplete.
• Accounting of disclosures: you can ask for a list of certain non-routine disclosures.
• Restrictions: you may request limits on sharing and ask for confidential communications to an alternate address or phone.
• Notice of Privacy Practices: you are entitled to a clear explanation of uses, safeguards, and your options.

Permitted uses and protected health information disclosure

Without your authorization, HIPAA permits disclosures for treatment, payment, and health care operations, and in specific public interest situations. Kaiser Permanente follows the minimum necessary standard for non-treatment uses and protects ePHI with administrative, physical, and technical safeguards. De-identified data that cannot identify you is not PHI.

Release of Information Procedure

Steps to request records

1. Define scope: decide which visits, dates, departments, or document types you need.
2. Complete the Release of Information procedure using a HIPAA authorization form or, when available, a secure portal request.
3. Verify identity: provide photo ID or required representative documents.
4. Select delivery: choose electronic (portal, secure email, USB/CD) or paper mail; indicate if you also want records sent directly to another provider.
5. Submit and track: note the submission date so you can follow up if timelines approach.

Turnaround and delivery

Under HIPAA’s right-of-access rules, requests are generally fulfilled within 30 days, with one permitted 30-day extension if necessary. You can often receive electronic copies faster, especially for items already available through your member portal. Ask for status updates if you have urgent care needs.

Third-party and continuing care

If you are sending records to a new clinician, you may direct Kaiser Permanente to release PHI straight to that provider. For ongoing care transitions, many organizations prioritize rapid, no-cost exchanges through HIE or direct provider-to-provider transfer to avoid treatment delays.

Handling Substance Use Disorder Records

Extra protections under 42 CFR Part 2

Records from federally assisted Substance Use Disorder programs carry heightened protections beyond HIPAA. Disclosures usually require your specific, written consent and must include a notice that the information is protected and cannot be redisclosed without your permission, except in limited situations.

What your authorization must include

• Precise description of the SUD information to be released and the recipient’s name.
• Purpose of the disclosure, expiration, and your right to revoke.
• Statement prohibiting redisclosure unless permitted by law or specifically authorized by you.

Certain exceptions exist—such as medical emergencies, audits and evaluations, or a valid court order—but they are narrow. Ask whether your request requires a separate SUD-specific consent so your instructions are honored.

Practical tips

• Use a separate authorization if you want to share SUD records while limiting other details.
• Consider sharing summaries (medication list, allergies, recent treatment dates) when full notes are unnecessary.
• Discuss privacy preferences with your care team to balance safety and confidentiality.

Patient Rights and Access to Records

How to access

You can view many results and clinical documents online and request additional items through Release of Information. If you need imaging, specify “images and the radiology report” and choose electronic media or paper. For sensitive categories, confirm whether extra permission is required.

Amendments and corrections

If something is wrong or incomplete, submit a written amendment request. Kaiser Permanente will respond within HIPAA timelines and either make the change, add your statement of disagreement, or explain why it cannot amend. You can ask Kaiser Permanente to share accepted amendments with prior recipients.

Designating a representative

You may authorize a spouse, family member, or caregiver to access your information, either through a proxy account or by naming them on an authorization. Legal documents are needed when a person acts for you due to incapacity or for estate matters.

Confidential communications and restrictions

You can request that communications be sent to an alternate address, phone, or email. You may also request that Kaiser Permanente not disclose information to a health plan about a service for which you paid in full out-of-pocket, consistent with HIPAA rules and applicable state laws.

Fees and Waivers for Information Release

What fees HIPAA allows

HIPAA permits a reasonable, cost-based fee for copying and delivering records. Allowable components include labor for copying, supplies (such as paper or USB), and postage, plus an agreed-upon fee for a summary if you request one. There is no fee to view or download information made available to you through the secure member portal.

When fees may be waived

Fees are often waived for releases sent directly to another provider for ongoing treatment, for portal access, or when errors originated from the record. Your Kaiser Permanente region may also consider hardship requests or apply state-specific limits for certain formats.

Get an estimate and resolve concerns

• Ask for an itemized estimate before processing, especially for large imaging sets or paper copies.
• Clarify whether the recipient is a provider (continuity-of-care releases are frequently no-cost).
• If charges seem inconsistent with medical records access regulations, request a review.

Key takeaways

• You control sharing through a clear HIPAA authorization form and HIE preferences.
• Substance Use Disorder privacy includes additional consent and redisclosure limits.
• Know your patient privacy rights: access, amendments, restrictions, and confidential communications.
• Expect reasonable, cost-based fees, with common waivers for treatment-related releases and portal access.

FAQs.

What is required to complete a HIPAA authorization form?

Provide your identifiers, a precise description of the records, the recipient and purpose, an expiration date or event, and a dated signature. If a representative signs, include proof of authority. Authorize sensitive categories explicitly if you want them shared.

How can patients opt out of Health Information Exchange?

Submit a Health Information Exchange opt-out request to Kaiser Permanente, following your region’s process (for example, portal request or written form with ID verification). Opting out limits HIE-based sharing but does not stop disclosures required or permitted by law.

What protections exist for Substance Use Disorder records?

Records from SUD programs have extra safeguards. Disclosures typically require your specific consent and must carry a notice prohibiting redisclosure unless you authorize it or a narrow legal exception applies, such as a medical emergency or valid court order.

Are there fees associated with releasing medical records?

HIPAA allows reasonable, cost-based fees for copying and delivering records, covering labor, supplies, and postage. Viewing or downloading through the member portal is typically free, and treatment-related releases to other providers are often waived.