Free HIPAA Consent Form — Medical Records Release Authorization
A legally compliant HIPAA authorization form for the release and disclosure of Protected Health Information (PHI). Meets all 9 required elements under 45 CFR § 164.508. Used by patients, healthcare providers, attorneys, insurers, and employers. Lawyer-reviewed, instant PDF download, no signup required.
HIPAA authorizations for the use or disclosure of Protected Health Information are governed by the HHS HIPAA Privacy Rule, 45 CFR § 164.508. This form includes all elements required under § 164.508(c) and all required statements under § 164.508(c)(2). The OCR (Office for Civil Rights) at HHS enforces HIPAA violations with civil and criminal penalties.
Advertisement
What Is a HIPAA Consent Form?
A HIPAA consent form — technically called a HIPAA Authorization under 45 CFR § 164.508 — is a written document that allows a covered entity (hospital, doctor, health plan, pharmacy) to use or disclose a patient's Protected Health Information (PHI) for a purpose beyond routine treatment, payment, or healthcare operations.
HIPAA authorization is required whenever PHI is shared outside the normal care relationship. This includes releasing medical records to an attorney for a personal injury case, sharing health information with an employer for disability accommodation, authorizing a family member to access records, disclosing information to a life insurance company, or sharing data for research purposes. Without a properly executed HIPAA authorization, disclosing PHI for these purposes is a federal violation.
Important distinction: A HIPAA authorization is not the same as the general "Consent to Treatment" form you sign when you first visit a doctor. Consent to treatment covers routine care. HIPAA authorization covers disclosure of your records outside of routine care. This template is the HIPAA authorization form required for medical records release.
The 9 Required Elements of a Valid HIPAA Authorization
Under 45 CFR § 164.508(c)(1)-(2), every HIPAA authorization form must contain all of the following elements. Our template includes each one:
1
Description of PHIA specific and meaningful description of the health information to be used or disclosed.
2
Person Authorized to DiscloseName or class of persons authorized to make the requested use or disclosure.
3
Recipient of PHIName or class of persons to whom the covered entity may make the disclosure.
4
Purpose of DisclosureA description of the purpose of the requested use or disclosure.
5
Expiration Date or EventEither a specific date or a describing event after which the authorization expires.
6
Patient Signature & DateSignature of the individual or their personal representative, plus the date.
7
Right to RevokeNotice that the patient may revoke the authorization in writing at any time.
8
Conditioning NoticeNotice whether treatment, enrollment, or eligibility is or is not conditioned on signing.
9
Re-disclosure WarningNotice that PHI disclosed may be re-disclosed and no longer protected by HIPAA.
Advertisement
HIPAA Authorization Form
Authorization for Use or Disclosure of Protected Health Information — 45 CFR § 164.508. All data stays in your browser.
HIPAA § 164.508
✓Your HIPAA authorization is complete. Click Generate PDF to download.
§ 164.508(c)(1)(vi) Section 1 — Patient / Individual Information
The following statements are required by 45 CFR § 164.508(c)(2) and are automatically included in your PDF. Please read carefully before signing.
Right to Revoke: You may revoke this authorization at any time by submitting a written request to the covered entity listed in Section 2. Revocation will not apply to information already released in reliance on this authorization prior to written revocation.
Conditioning Notice: Unless otherwise stated, the healthcare provider will not condition treatment, enrollment, or eligibility for benefits on whether you sign this authorization (with limited exceptions for research-related treatment or certain insurance underwriting).
Re-Disclosure Warning: Information disclosed pursuant to this authorization may be re-disclosed by the recipient and may no longer be protected by the HIPAA Privacy Rule.
Section 8 — Patient Acknowledgments
Personal Representative Information (§ 164.508(c)(1)(vi))
§ 164.508(c)(1)(vi) Section 9 — Signature *
✍ Print, sign by hand, and submit to the healthcare provider in Section 2
Fax or electronic submission accepted by most providers — check with your provider's Health Information Management (HIM) department
🔒 All data stays in your browser. Nothing is transmitted to our servers. This form is for patient use — providers should use their own HIPAA-compliant forms.
When Do You Need a HIPAA Authorization Form?
You need a HIPAA authorization form anytime your Protected Health Information (PHI) will be shared outside of treatment, payment, and standard healthcare operations. Here are the most common scenarios where patients are asked to complete a HIPAA authorization:
⚖️
Legal & Personal Injury Cases
Attorneys filing personal injury, workers' comp, or disability claims need your medical records to build your case. A HIPAA authorization releases records directly to your attorney or the opposing counsel.
🏢
Employer & Disability Accommodation
Employers requesting medical documentation for FMLA leave, disability accommodation under the ADA, or return-to-work clearances require HIPAA authorization before your provider can share health information. See also: drug test consent form.
🛡️
Insurance Applications & Claims
Life, health, disability, and long-term care insurance companies require HIPAA authorization to review your medical history during underwriting or to process a benefit claim.
👨👩👧
Family Members & Caregivers
A parent, adult child, or caregiver who needs to access a patient's records must have written HIPAA authorization if the patient is a competent adult. See also: medical consent for minor.
🔬
Research Studies
Clinical trials and academic research involving identifiable patient information require HIPAA authorization plus IRB consent. See also: survey consent form for non-medical research.
🏫
Schools, Sports & Activities
Athletic clearances, school enrollment, and some educational programs request a student's health information. HIPAA authorization is required before any provider can share student health records with a school.
✈️
Travel & International Care
International travel with complex medical needs may require sharing records with foreign providers. Combine with a child travel consent form when traveling with minors who have medical conditions.
🏥
Second Opinions & Specialist Referrals
While providers can share records within the care team without authorization, transferring records to an outside specialist, second-opinion provider, or a new primary care physician often requires a formal HIPAA release.
HIPAA Violations — What Providers Risk Without Proper Authorization
The HHS Office for Civil Rights (OCR) enforces HIPAA with a tiered civil penalty structure and refers cases with willful neglect to the Department of Justice for criminal prosecution:
Civil Penalties (per violation, per calendar year)
$100–$50,000Unknown violation (no knowledge)
$1,000–$50,000Reasonable cause (not willful neglect)
$10,000–$50,000Willful neglect — corrected
$50,000 minimumWillful neglect — not corrected
Criminal penalties under 42 U.S.C. § 1320d-6 range from up to 1 year in prison for basic violations to up to 10 years for disclosures with intent to sell PHI. Providers who fail to obtain a valid HIPAA authorization before releasing PHI face serious legal and financial exposure.
Related Medical & Authorization Forms
If your situation involves a specific consent scenario, one of these specialized templates may be more appropriate:
A HIPAA authorization form (45 CFR § 164.508) is required anytime a healthcare provider, health plan, or clearinghouse will disclose a patient's Protected Health Information for a purpose beyond routine treatment, payment, or healthcare operations. Common triggers include sharing records with an attorney, insurer, employer, family member, or researcher. Without a signed authorization, these disclosures are federal HIPAA violations enforced by the HHS Office for Civil Rights.
Under 45 CFR § 164.508(c), a valid HIPAA authorization must include: (1) description of PHI; (2) person authorized to disclose; (3) recipient of PHI; (4) purpose of disclosure; (5) expiration date or event; (6) patient signature and date; (7) right to revoke notice; (8) conditioning notice; and (9) re-disclosure warning. Missing any of these elements makes the authorization defective and non-compliant. Our form includes all nine.
Yes. Under 45 CFR § 164.508(b)(5), you may revoke your HIPAA authorization at any time by submitting a written revocation to the covered entity. However, revocation does not apply to PHI already disclosed in reliance on the authorization before you revoked it — those releases cannot be undone. The covered entity must act on your revocation promptly. This right to revoke is stated in Section 7 of our HIPAA authorization form.
Protected Health Information includes any information that identifies an individual and relates to their past, present, or future physical or mental health condition, healthcare, or payment for healthcare. This includes: medical records and diagnoses, test results, prescriptions, billing records, and any other information that could identify a patient. HIPAA applies to PHI held by covered entities (hospitals, doctors, health plans, pharmacies) and their business associates.
Mental health records are covered by HIPAA but some states provide additional protections beyond HIPAA's minimum requirements. Substance use disorder records in federally assisted programs are subject to even stricter regulations under 42 CFR Part 2, which requires more specific authorization language than HIPAA. Our form includes checkboxes for both mental health records and substance use disorder records — for the latter, consult an attorney about whether 42 CFR Part 2 applies to your situation.
The authorization is valid for the period specified in Section 6. Under 45 CFR § 164.508(c)(1)(v), every HIPAA authorization must include either a specific expiration date or a describing expiration event (e.g., "one year from date of signing" or "end of the research study"). Authorizations without an expiration provision are HIPAA-defective. Once expired, the covered entity may no longer rely on the authorization to make disclosures.
Legal Disclaimer: This HIPAA authorization form template is provided for informational and general use purposes only. While it is designed to include all elements required under 45 CFR § 164.508, HIPAA compliance depends on the specific circumstances of each use and disclosure. Healthcare providers must maintain their own HIPAA-compliant policies and procedures. For legally complex situations — including substance use disorder records governed by 42 CFR Part 2 or state law requirements stricter than HIPAA — consult a healthcare attorney. This form is not a substitute for professional legal or compliance advice.