Skip to main content
Pike is not a lawyer. We share legal information — not legal advice.Privacy policy
PIKE
Family

HIPAA Authorization

Lets a specific person — a family member, lawyer, or caregiver — receive your medical records from a specific provider. Federal form (45 CFR § 164.508) — same in every state.

1 documentsAbout 5 minutes10 questions to answer
What's in the pack
HIPAA Authorization to Release Medical Information
Federal form, 1 page
01
Pike doesn't sign for you.These documents are drafted from the facts you provide. You read them, you sign them, you send them. Pike never claims to be your lawyer.
Save and come back any time.

HIPAA's privacy rule was written to keep your medical information out of the wrong hands. The same rule keeps it out of the right hands too, unless you sign one specific form telling your provider otherwise.

Who this pack is for

You need someone — a parent, spouse, adult child, attorney, caregiver, or insurance broker — to receive medical records that a specific provider holds about you. You're tired of being on the phone, you want a paper trail, and you want the provider to release records without HIPAA-flagging the request as a privacy violation. The pack drafts a release that names the provider, names the recipient, scopes the records that are covered, and sets an expiration date. The federal HIPAA Privacy Rule (45 C.F.R. § 164.508) lays out exactly what the form must include; this pack mirrors that.

When to use it

Use it when you need a third party to coordinate care, handle a claim, prepare for a legal matter, or simply have access to records on your behalf. Examples: an adult child managing an aging parent's appointments, a spouse who needs records for an insurance dispute, an attorney building an injury case, a financial advisor reviewing medical bills, or a new doctor requesting your prior history. It's also a good companion to a healthcare directive — name your healthcare agent on a HIPAA release for the same provider so the agent can actually get the records they need to advocate for you.

What it doesn't cover

This is a release of records, not a grant of decision-making authority. The recipient can read your records but cannot consent to your treatment or speak for you medically — for that you need a healthcare directive or healthcare power of attorney. It does not cover psychotherapy notes (which require a separate, specific authorization under 45 C.F.R. § 164.508(b)(3)), substance use disorder records (which are subject to 42 C.F.R. Part 2 and require their own form), or HIV/AIDS records in some states with stricter laws than HIPAA. It applies only to the named provider — for records from a second provider, you sign a second form.

State-specific notes

Rules vary by jurisdiction. Below are notes for the states where hipaa authorization runs into the most variance. If your state isn't listed, default to your state's tenant-rights handbook or local legal aid.

California (CA)
California's CMIA (Confidentiality of Medical Information Act, Cal. Civ. Code § 56) is stricter than HIPAA in several places. A CMIA-compliant release should also identify the type of information being released and have an expiration not to exceed one year from the date of signing for marketing-type releases. The pack form satisfies both regimes.
New York (NY)
New York requires its own state-specific form (OCA-960) for HIV-related information; HIPAA is not enough. For mental health records, NY Mental Hygiene Law adds another layer — providers may insist on a specific MHL-2 form. Confirm with the provider what forms they require beyond a generic HIPAA release.
Texas (TX)
Texas has its own medical privacy law (HB 300) that closely mirrors HIPAA but adds penalties. A HIPAA-compliant release like the pack form is generally sufficient for any Texas provider, but psychotherapy notes and HIV/AIDS records still require additional specificity per state law.
Florida (FL)
Florida requires HIV/AIDS authorizations to specifically reference HIV-related information by name (Fla. Stat. § 381.004(2)(e)). A general HIPAA release will not authorize release of HIV records unless that disclosure is expressly identified.

Common questions

How long does the authorization last?
Whatever expiration you write on it, up to a sensible maximum (typically one year). HIPAA does not specify a maximum, but providers will scrutinize releases with no expiration or with very long expirations, and may refuse them as not 'specific.' The pack form requires you to fill in an expiration date.
Can I revoke the release after I've signed it?
Yes, in writing, at any time. Revocation does not undo any disclosure the provider already made before they received the revocation — so if your records have already been sent to the recipient, the revocation stops future releases but doesn't claw back the past ones. Send the revocation to the provider's privacy officer; the pack drafts a revocation letter you can send.
What can I list under 'records covered'?
Be specific. 'All records' is generally accepted but providers will sometimes redact or refuse if the scope is too broad. Common scopings: 'records relating to my [specific condition or surgery]'; 'records from [date range]'; 'office visit notes, lab results, and imaging from [date range]'. The more specific you are, the faster the records come.
Can the recipient share the records with someone else?
Once disclosed under a HIPAA authorization, the records may no longer be protected by HIPAA. The recipient can re-disclose unless something else (like a separate confidentiality agreement) restricts them. If you're sending records to an attorney, attorney-client privilege protects the records; if you're sending to a family member, there's no automatic restriction. Limit the scope to what's needed.
What if the provider refuses to release records?
First, confirm the form has all the elements 45 C.F.R. § 164.508(c) requires: patient name, recipient, description of records, purpose, expiration, signature. If those are present, the provider must comply (with limited exceptions for psychotherapy notes and a few others). Second, you can file a complaint with the Office for Civil Rights at HHS — that's HIPAA's enforcement arm. Most providers comply once a complaint is filed because the penalties for ignoring a valid release are real.
Can a parent sign for a minor child?
Yes for most records. The exceptions: in many states, a minor can independently consent to (and withhold parental access to) records relating to reproductive care, mental health treatment, and substance use treatment. Once a child reaches age 18, the parent's authority ends — even if the parent is still paying bills, the parent needs a HIPAA release signed by the now-adult child to access the records.
What's the difference between a HIPAA release and a medical records request?
A HIPAA release authorizes the provider to send records to a named recipient. A records request is you asking for your own records — that's a different right under HIPAA (you can request your own at any time, and the provider must respond within 30 days, often charging a per-page fee). If you want records for yourself, send a records request. If you want records sent to a third party, send the release.

Sources

Primary legal sources cited above. These link to free, public versions of the statutes, regulations, and case law referenced in this pack.

Pike provides plain-language legal information, not legal advice. State and local rules change. If money, custody, or your housing is on the line, talk to a licensed attorney or your local legal aid office.