A medical release form is a form required by the Health Insurance Portability and Accountability Act (HIPAA) when a covered entity or business associate uses or discloses Protected Health Information (PHI) for a purpose not required or permitted by the HIPAA Privacy Rule.
If your organization qualifies as HIPAA covered entity, or as a business associate of a HIPAA covered entity, you are only allowed to use or disclose PHI for a purpose required or permitted by the HIPAA Privacy Rule (45 CFR Part 164, Subpart E). If you want to use or disclose PHI for any other purpose, it is necessary to obtain a valid medical release form signed by the subject of the PHI or their personal representative.
As well as stipulating what uses and disclosures of PHI are required or permitted, the HIPAA Privacy Rule (45 CFR §164.508) also stipulates what core elements are required in a medical release form to ensure the medical release form is valid. The failure to include all the core elements – even if they do not apply in all cases – invalidates the form, making any release of information included in the form invalid.
Required Disclosures of Medical Records
There are two circumstances in which disclosures of medical records are required by HIPAA. These are when an individual exercises their right to obtain a copy of their PHI or an accounting of disclosures, and when an individual’s medical records are required by the Department of Health and Human Services’ Office for Civil Rights (OCR) to investigate a complaint, alleged violation, or data breach, or to conduct a compliance audit.
Additionally, some states require healthcare providers to disclose medical records in order to report (for example) child abuse, domestic violence, or gunshot injuries. The Privacy Rule permits disclosures of this nature under 45 CFR §164.512 – “Uses and disclosures for which a medical release form or opportunity to agree or object is not required” – provided the disclosure complies with the minimum necessary standard.
Permitted Disclosures of Medical Records
Covered entities and business associates are permitted to use and disclose PHI for most treatment, payment, and health care operations. Health care operations include business planning, quality assessments, internal disciplinary actions, and medical training programs. In these circumstances the minimum necessary standard does not apply and there is no limit to how much PHI can be disclosed.
Additionally, covered entities and business associates are permitted to disclose PHI for other purposes listed under 45 CFR §164.512. However, in some cases, a healthcare provider may request a medical release form before disclosing an individual’s medical records even though the disclosure is permitted by this section – or if the purpose of the disclosure requires a disclosure of more than the minimum necessary PHI.
Other Circumstances in Which a Medical Release Form is Not Required
There are a limited number of other circumstances in which a medical release form is not required. These include when PHI is deidentified before being disclosed for research purposes, when the verbal consent of an individual is sufficient to satisfy the requirements of the Privacy Rule, or when an individual is unable to provide their verbal consent and a decision is made in the best interests of the individual.
The circumstances in which verbal consent (or proxy verbal consent) is sufficient are covered in 45 CFR §164.510 and include disclosing an individual’s health condition to family and friends when the individual is asked for by name or to help locate a missing individual. Although not required by the Privacy Rule, it is recommended that individual’s consent – or their objection to a disclosure – is documented.
What Should be Included in a Medical Release Form?
The core elements of a medical release form are that the form contains the name of the person authorized to sign the form (i.e., the patient or their personal representative), the name of the individual or organization being authorized to disclose the information, a description of the health information being used or disclosed, the purpose of the disclosure, and an expiration date or event.
The form must also contain statements advising the individual of their right to revoke authorization, advising the individual that health care or health plan benefits are not conditional on signing the medical release form, and that, if the recipient of the health information is not a covered entity or business associate, the potential exists for the information being disclosed to be further disclosed.
It may also be necessary for covered entities and business associates to include clauses relating to state or other federal regulations. For example, when Substance Use Disorder records are disclosed under a Qualified Service Organization Agreement, the individual has to be advised that the records will not be further disclosed without another valid medical release form (see 42 CFR Part 2, Subpart C).
Customizing a Medical Release Form Template
There are a number of medical release form templates available online. However, because of the different ways in which the forms can be used, there is no one-size-fits-all medical release form template. Therefore, before adopting them for use in their organizations, covered entities and business associates should customize the template to ensure it complies with all applicable state and federal laws.
For the benefit of individuals and organizations downloading our medical release form template, we have included all the core elements and requirements of the HIPAA Privacy Rule and added further elements based on a cross-section of state and federal laws. Covered entities and business associates unsure about how to further customize the template to comply with all applicable state and federal laws should seek professional compliance advice.
Download Medical Release Form
(Word document, 22K)