HIPAA and State Medical Release Form Laws

HIPAA regulations require that covered entities obtain a HIPAA medical release form (or medical records release authorization form) before PHI is disclosed. States are permitted to have their own HIPAA-equivalent medical release form laws, so long as the state HIPAA medical release form laws are at least as protective of patient privacy as the HIPAA regulations. HIPAA medical release form requirements, and medical release form requirements in four populous states – Florida, New York, California, and Texas – are discussed below.

medical release form

When is a HIPAA Medical Release Form Required?

In the event that a provider must disclose PHI for reasons other than payment, treatment, or healthcare operations, the provider must generally obtain written authorization from the patient (or the patient’s personal representative). The written authorization form is commonly called a  HIPAA medical release form (or medical records release authorization form). The authorization must be obtained before any PHI can be disclosed. Specific instances of when a HIPAA medical release form (medical records release authorization form) is required include:

  • Prior to any disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations.
  • Prior to disclosing PHI that may be used in marketing or fundraising efforts.
  • Prior to disclosing PHI for research purposes.
  • Prior to the disclosure of any psychotherapy notes.
  • Prior to PHI being disclosed or shared for monetary compensation.

Would you pass a HIPAA audit? Take this quiz to find out! 

What Must be Included on a HIPAA Medical Release Form?

First, HIPAA regulations require that all communications with patients concerning their rights  under the law must be written in plain language. That means that the information must not contain jargon and must be clearly understandable. Second, the HIPAA records release form must be made available for patients to read and review before obtaining their signature and authorization.

A HIPAA medical release form must contain the following:

  • A description of the PHI that may be shared or disclosed.
  • The purpose for the PHI disclosure. 
  • The name of the entity or person(s) with whom the PHI will be shared.
  • A date by which the authorization for the disclosure will expire
  • The signature (with the date the form is signed) of the patient. 
  • If a patient is having a personal representative sign on their behalf, covered entities must also obtain a description of the personal representative’s relationship to the patient, and documentation of the personal representative’s authority (such as a power of attorney naming a personal representative) to act on behalf of the patient.

The HIPAA medical release form should also state what rights the patient has with respect to the authorization. These rights include:

  • The right to revoke the authorization for disclosures, including procedures for how to revoke the authorization.
  • The patient’s right to be free from retaliation or other penalty for failing to sign the authorization. 

States have their own medical release laws. These release of medical records laws describe when use or disclosure of medical records require written patient authorization. Some state laws are more protective of patient privacy than other state laws. That is, some states impose greater restrictions on when providers can disclose patient records without authorization than others. This is where HIPAA comes into play. If a state’s medical release laws are at least as patient-protective as HIPAA, providers can rely on those laws in determining when they can make disclosures without patient authorization. In states whose medical release laws are less protective of patient privacy than HIPAA is, providers must follow HIPAA, rather than the state law.

For example: HIPAA generally prohibits a provider from selling PHI, without patient authorization. If a state law does not have this prohibition, the provider must follow HIPAA, and not the state law, since HIPAA is more protective of patients’ privacy than the state law.  

The medical release form laws and medical release forms for four large states – Florida, New York, California, and Texas – are discussed below.

Medical Release Form Florida

Florida law provides that patient medical records may not be furnished to, and the medical condition of a patient may not be discussed with, any person other than:

  • The patient;
  • The patient’s legal representative; or
  • Healthcare providers involved in the patient’s care or treatment.

Additionally, in Florida, absent a specific written release or authorization permitting use of patient information for solicitation, marketing, the sale of goods, or services, use of  PHI for those purposes is prohibited.

For medical records to be furnished to people outside of this list, the patient must provide written authorization for medical records release. For example, under Florida law, absent a specific written release or authorization permitting utilization of patient information for solicitation or marketing the sale of goods or services, any use of that information for soliciting or marketing is prohibited.

Are there Exceptions to When a Florida Medical Release Form is Required?

Under Florida law, medical records may be furnished without written authorization under the following circumstances:

  • To any person, firm, or corporation that has furnished care or treatment to the patient with the patient’s consent; or
  • When a compulsory medical exam is made as part of a lawsuit. These exams are required when the medical condition of a party is in dispute. When such an exam is made, copies of the medical exam report, and the medical records used to create the report, must be given to both a plaintiff and a defendant.
  • When a court issues a subpoena to a party in a lawsuit. A subpoena is a court order requiring a party to do something. In this instance, the “something” is requiring the party to provide that party’s medical records to the other party.
  • For statistical and scientific research, provided the information is abstracted in such a way as to protect the identity of the patient, or provided written permission is received from the patient or patient’s legal representative.
  • To a regional poison control center for purposes of:
    • Treating a poison episode under evaluation;
    • Case management of poison cases; or
    • Compliance with data collection and reporting requirements set forth in Florida’s regional poison control center reporting law. 
  • To the Florida Department of Children and Families or its agents, for the purpose of investigation of or services for cases of abuse, neglect, or exploitation of children or vulnerable adults.

Florida medical release form requires patients to input their name, date of birth, and residence. The Florida medical release form also provides a space for the patient to write down the name of the provider or organization to whom the patient authorizes medical records disclosure. The form also informs the patient that the authorization will remain in effect until the patient withdraws it, and that a patient can revoke at any time by giving written notice to the person or organization it previously authorized.

Let’s Simplify Compliance

Do you know what release forms you need for your state? We can help!

Learn More