A medical records release (HIPAA) form is a written authorization for health providers to release information to the patient and someone other than the patient.
The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state laws mandate that health providers not disclose a patient’s information without valid authorization except in limited circumstances as required or permitted by law.
When to Use a Medical Records Release Form
- To Improve Your Care: This form helps you share information with new specialists, hospitals, and other providers working on your treatment.
- To Update Your Records: You can secure a copy of your medical records for safekeeping or to get second opinions.
- To Handle Legal Cases: Records can provide proof of physical injuries, help calculate damages, and determine the cause of injuries.
- To Handle Employment Matters: Employers use medical information to determine job fitness and document sick leave.
- To Assist with a Research Study: Clinical trial scientists use identifiable information to conduct research.
- To Get Insurance Coverage: Insurance companies use the information to underwrite life and health insurance policies, pay bodily injury claims, and pay workers’ compensation claims.
Summary of the HIPAA Privacy Rule
The Health Insurance Portability and Accountability Act of 1996 established the HIPAA Privacy Rule. Here’s an overview:
-
Relevant Laws: The Code of Federal Regulations covers two laws relevant to the HIPAA Privacy Rule.
- 45 CFR Part 160: Part 160 covers general administrative requirements.
- 45 CFR Part 164: Part 164 covers security and privacy matters.
- Purpose: The HIPAA Privacy Rule’s purpose is to ensure patients’ health information remains confidential while still accessible to healthcare providers who need it to offer the highest quality care possible.
-
Covered Entities: The HIPAA Privacy Rule applies to the following entities:
- Healthcare clearinghouses: Healthcare clearinghouses are entities that transmit health data into a standard format for insurance companies to use to process claims.
- Health plans: Health plans include government programs funding health care (like Medicaid and Medicare), company health plans, HMOs, and private health insurance companies.
- Healthcare providers: Healthcare providers include doctors, pharmacies, nursing homes, chiropractors, psychologists, and hospitals that send health information electronically.
- Business associates: Business associates complete specific activities on behalf of a covered entity.
-
Key Points: Here are some key points the HIPAA Privacy Rule covers:
- Protected Health Information (PHI): Protected health information refers to any individually identifiable medical information that a covered entity transmits or stores in its records. This information includes any details regarding an individual’s past, present, or future health information. It also includes their healthcare payments and the treatment they receive.
-
Patients’ Rights: The HIPAA Privacy Rule enforces specific patient rights, including their right to:
- Request corrections to mistakes in their health information.
- Obtain copies of their medical records.
- Ask for restrictions on certain disclosures and uses of their health data.
- Receive PHI confidentially at alternative locations or by alternative means.
- Learn about healthcare providers’ and health plans’ privacy practices.
- Disclosure and Use: Covered entities can use and disclose PHI under specific circumstances without patient authorization, including for purposes of healthcare operations, payment, and treatment.
- Safeguards: The Privacy Rule demands that covered entities enact safeguards to protect PHI.
What to Include in a Medical Records Release Form
To be valid, a simple records release must include at least the following:
-
Patient’s details: The name, address, phone number, and other identifying details of the patient.
- In most cases, the patient will be the individual making the requested disclosure.
- Guardian or legal/personal representative: If the patient isn’t making the disclosure themselves, the guardian or legal/personal representative should identify themselves in the form.
- The releasing party’s details: The names or other specific identification of the party releasing the information.
- The recipient’s details: The names or other specific identification of the recipient of the information.
- Specific information: A description of the information to be used or disclosed.
- Risk of disclosure: A statement of the potential risk that information will be re-disclosed by the recipient and no longer protected, especially if the recipient isn’t a covered entity.
- Expiration date: The date when the authorization expires.
- Purpose: A description of each purpose of the requested use or disclosure.
- Revocation: A statement of the patient’s right to revoke the authorization.
- Refusal to Sign: Whether treatment, payment, enrollment, or benefits eligibility can be conditioned on the authorization and consequences of refusing to sign the release.
- Date and Signature: If the patient’s authorized representative signs the release, a description of the authorized representative’s authority to act for the patient must also be provided.
How to Get Medical Records
Step 1 – Determine Who Holds Your Records
Determine the holder of your records. It may be an insurance company, medical facility, or another entity. This way, you’ll know to whom to submit your HIPAA release form.
Step 2 – Prepare a Written Request
Prepare a written request with the patient’s name and the recipient and disclosing party’s information.
Dictate what information you want the holder to release. It might just be one medical record, like the results from genetic testing. You can also state that you want the recipient to have access to all health information about you.
If You're Authorizing the Release of Someone Else's PHI
If you’re authorizing the release of someone else’s PHI, you may be acting under a medical power of attorney or a minor power of attorney. In this case, you should identify yourself as the patient’s guardian or legal representative on the authorization form.
Step 3 – Prepare to Supply the Associated Fees
Health providers have a right to charge for the reasonable costs of copying patient records. Many providers want payment before they release records, so you should procure the appropriate funds before proceeding.
Health IT provides an overview of state law and the maximum fees doctors and hospitals may charge patients for copies of documents. Contact the health provider to find out how much the copying charges will be, if any, and include payment with the release of the signed records.
According to a 2005 article published in PubMed Central, “reasonable costs” for copying records range widely from $2 to $55 for short records of 15 pages and upwards of $15 to $585 for longer records of 500 pages.
Step 4 – Submit the Request
Submit the completed request with the payment information to the holder of your medical records. You may need to provide proof of your identity via a copy of a government-issued ID. This way, the holder can confidently disclose information, knowing that your request is genuine and not from someone else trying to commit fraud.
Consider signing with ink when possible. While electronic signatures can be acceptable, they must adhere to the guidelines in the Electronic Signatures in Global and National Commerce Act.
Step 5 – Wait for Processing and Receive Your Records
Per 45 CFR § 164.524, the holder must access or transfer your medical records within 30 days of the initial request. If they can’t complete this task, they must send a letter explaining the delay.
Supplemental Form
If you’re responsible for a child’s health care, you may be able to authorize their treatment using a child medical consent form. You may still need a HIPAA release form to ensure their healthcare providers have the appropriate data.
Medical Records Release Form Sample
Download a medical records release form in PDF or Word format to authorize the release of medical records:
