HIPAA and State Medical Release Form Laws

HIPAA regulations require that covered entities obtain a HIPAA medical release form (or medical records release authorization form) before PHI is disclosed. States are permitted to have their own HIPAA-equivalent medical release form laws, so long as the state HIPAA medical release form laws are at least as protective of patient privacy as the HIPAA regulations. HIPAA medical release form requirements, and medical release form requirements in four populous states – Florida, New York, California, and Texas – are discussed below.

medical release form

When is a HIPAA Medical Release Form Required?

In the event that a provider must disclose PHI for reasons other than payment, treatment, or healthcare operations, the provider must generally obtain written authorization from the patient (or the patient’s personal representative). The written authorization form is commonly called a  HIPAA medical release form (or medical records release authorization form). The authorization must be obtained before any PHI can be disclosed. Specific instances of when a HIPAA medical release form (medical records release authorization form) is required include:

  • Prior to any disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations.
  • Prior to disclosing PHI that may be used in marketing or fundraising efforts.
  • Prior to disclosing PHI for research purposes.
  • Prior to the disclosure of any psychotherapy notes.
  • Prior to PHI being disclosed or shared for monetary compensation.

Would you pass a HIPAA audit? Take this quiz to find out! 

What Must be Included on a HIPAA Medical Release Form?

First, HIPAA regulations require that all communications with patients concerning their rights  under the law must be written in plain language. That means that the information must not contain jargon and must be clearly understandable. Second, the HIPAA records release form must be made available for patients to read and review before obtaining their signature and authorization.

A HIPAA medical release form must contain the following:

  • A description of the PHI that may be shared or disclosed.
  • The purpose for the PHI disclosure. 
  • The name of the entity or person(s) with whom the PHI will be shared.
  • A date by which the authorization for the disclosure will expire
  • The signature (with the date the form is signed) of the patient. 
  • If a patient is having a personal representative sign on their behalf, covered entities must also obtain a description of the personal representative’s relationship to the patient, and documentation of the personal representative’s authority (such as a power of attorney naming a personal representative) to act on behalf of the patient.

The HIPAA medical release form should also state what rights the patient has with respect to the authorization. These rights include:

  • The right to revoke the authorization for disclosures, including procedures for how to revoke the authorization.
  • The patient’s right to be free from retaliation or other penalty for failing to sign the authorization. 

States have their own medical release laws. These release of medical records laws describe when use or disclosure of medical records require written patient authorization. Some state laws are more protective of patient privacy than other state laws. That is, some states impose greater restrictions on when providers can disclose patient records without authorization than others. This is where HIPAA comes into play. If a state’s medical release laws are at least as patient-protective as HIPAA, providers can rely on those laws in determining when they can make disclosures without patient authorization. In states whose medical release laws are less protective of patient privacy than HIPAA is, providers must follow HIPAA, rather than the state law.

For example: HIPAA generally prohibits a provider from selling PHI, without patient authorization. If a state law does not have this prohibition, the provider must follow HIPAA, and not the state law, since HIPAA is more protective of patients’ privacy than the state law.  

The medical release form laws and medical release forms for four large states – Florida, New York, California, and Texas – are discussed below.

Medical Release Form Florida

Florida law provides that patient medical records may not be furnished to, and the medical condition of a patient may not be discussed with, any person other than:

  • The patient;
  • The patient’s legal representative; or
  • Healthcare providers involved in the patient’s care or treatment.

Additionally, in Florida, absent a specific written release or authorization permitting use of patient information for solicitation, marketing, the sale of goods, or services, use of  PHI for those purposes is prohibited.

For medical records to be furnished to people outside of this list, the patient must provide written authorization for medical records release. For example, under Florida law, absent a specific written release or authorization permitting utilization of patient information for solicitation or marketing the sale of goods or services, any use of that information for soliciting or marketing is prohibited.

Are there Exceptions to When a Florida Medical Release Form is Required?

Under Florida law, medical records may be furnished without written authorization under the following circumstances:

  • To any person, firm, or corporation that has furnished care or treatment to the patient with the patient’s consent; or
  • When a compulsory medical exam is made as part of a lawsuit. These exams are required when the medical condition of a party is in dispute. When such an exam is made, copies of the medical exam report, and the medical records used to create the report, must be given to both a plaintiff and a defendant.
  • When a court issues a subpoena to a party in a lawsuit. A subpoena is a court order requiring a party to do something. In this instance, the “something” is requiring the party to provide that party’s medical records to the other party.
  • For statistical and scientific research, provided the information is abstracted in such a way as to protect the identity of the patient, or provided written permission is received from the patient or patient’s legal representative.
  • To a regional poison control center for purposes of:
    • Treating a poison episode under evaluation;
    • Case management of poison cases; or
    • Compliance with data collection and reporting requirements set forth in Florida’s regional poison control center reporting law. 
  • To the Florida Department of Children and Families or its agents, for the purpose of investigation of or services for cases of abuse, neglect, or exploitation of children or vulnerable adults.

Florida medical release form requires patients to input their name, date of birth, and residence. The Florida medical release form also provides a space for the patient to write down the name of the provider or organization to whom the patient authorizes medical records disclosure. The form also informs the patient that the authorization will remain in effect until the patient withdraws it, and that a patient can revoke at any time by giving written notice to the person or organization it previously authorized.

Medical Release Form NY

In general, New York provides for greater patient privacy protections than HIPAA does.

Section 18 of the New York Public Health Law states that providers (which include, among others, hospitals, home care facilities, hospices, health maintenance organizations and shared health facilities, and healthcare practitioners) may disclose medical records to “qualified persons” under certain circumstances. “Qualified persons” include (among others) an incapacitated adult patient’s legal guardian, and executors and administrators of estates of deceased patients. An attorney representing a “qualified person” is also a “qualified person,” provided that the attorney has a signed power of attorney authorizing the attorney to request medical records.

Are there Exceptions to When a New York Medical Release Form is Required?

In addition, although they are not necessarily “qualified persons” under Section 18, individuals with the authority to make healthcare decisions for patients have a right to receive medical information in order to make those decisions.

Under New York law, access to the following records or parts of records may be denied to those who request it:

  • The personal notes and observations maintained by the healthcare provider;
  • Information that was disclosed to the provider, by the patient, on the understanding that it would be kept confidential and it has been kept confidential since then;
  • Information about the treatment of a minor that, in the provider’s opinion, should not be disclosed to the parents or guardians; and
  • Information that the provider determines may substantially harm the patient or others.

Section 18 requires a provider who denies access to part or all of a record to inform the qualified person of the reason for the denial. 

What is HIPAA Form 960?

New York’s medical release form is entitled, “Authorization for Release of Health Information

under the HIPAA (OCA-960).” Because the title contains the number “960,” the New York medical release form is commonly referred to as “HIPAA Form 960.” The New York medical release form, HIPAA Form 960, explains (among other things) that authorization is voluntary; and that payment, treatment, enrollment in a healthcare plan, or eligibility for benefits, cannot be conditioned upon authorizing a disclosure.  The New York medical release form, HIPAA Form 960, also states that certain medical information can be redisclosed by the recipient of the disclosure, and that the redisclosure may no longer be protected under state or federal law.

Medical Release Form California

Under the California Confidentiality of Medical Information Act (CMIA), patient medical records may not be disclosed without authorization unless disclosure is required for litigation, or is required to communicate important medical information to other healthcare providers, insurers, and other interested parties.

California law imposes very specific requirements (more stringent than those under HIPAA) for authorizations to be valid. Under California law, a medical release form allowing disclosure by a provider of healthcare must (among other requirements): 

  • State the specific uses and limitations on the types of medical information to be disclosed;
  • State the name or functions of the healthcare provider that may disclose the medical information;
  • State a specific date after which the provider is no longer authorized to disclose the medical information;
  • Be handwritten by the person who signs it, or be in a typeface no smaller than 14-point type;
  • Be clearly separate from any other language present on the same page;
  • Be executed by a signature that serves no other purpose than to execute the authorization; and
  • Be signed and dated by the patient. A patient who is a minor may only sign an authorization for the release of treatment information records, if the medical services given to the minor were services the minor could have lawfully consented to in the first place (California minors as young as 12 years old may provide consent for certain medical services. For other services, the age of consent is higher – in some cases, the age of consent is 18). 
    • A legal representative may sign and date the authorization, if the patient is incapacitated.
    • A spouse of the patient, or the person financially responsible for the patient, may sign and date the authorization, if (and only if) the information is being sought to process a healthcare insurance application, or to enroll a patient in an employee benefit plan in which the patient is to be enrolled as a spouse or dependent.
    • In cases where the patient is deceased, the personal representative of the patient may sign and date the California medical release form. 

A sample California medical release form can be viewed by clicking here. This particular California medical release form is for disclosures about mental health services.

Medical Release Form Texas

Under Texas law, covered entities, as that term is defined by HIPAA, must obtain a signed authorization from the individual or the individual’s legally authorized representative to electronically disclose that individual’s protected health information. 

Under Texas law, patient authorization is not required for disclosures related to treatment, payment, healthcare operations, performing certain insurance functions, or as may be otherwise authorized by law. 

There are exceptions to this general rule. Authorization is required when (among other circumstances):  

  • The disclosure involves mental health records;
  • The disclosure involves genetic information, including genetic test results;
  • The disclosure involves drug, alcohol, or substance abuse records; or
  • The disclosure involves HIV/AIDS test results or treatment. 

The Texas medical release form can be found by clicking here. This Texas medical release form was developed under Texas HB 300. Texas HB 300, among other things, set standards for the electronic disclosure of protected health information. The Texas medical release form above covers electronic disclosures. The Texas medical release form for “paper” disclosures of PHI tracks the HIPAA Privacy Rule, for the most part. However, Texas provides greater protection (with respect to both PHI and ePHI) than HIPAA in the following ways:

  • In Texas, covered entities must follow the medical release laws. However, Texas defines what a covered entity is, more broadly than HIPAA. In Texas, a covered entity is “Any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI.” 
  • HIPAA allows de-identified information to be re-identified under specific guidelines; however, Texas does not allow re-identification at all.
  • Texas law is much more restrictive of marketing than HIPAA is. HIPAA ultimately allows covered entities to market a huge variety of health products, with a few restrictions, without obtaining authorization from the individual. Texas prohibits any release of PHI for marketing purposes without consent or authorization from the individual.