Book a demo Log in / Sign up

Authorization To Disclose Phi Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Authorization To Disclose Phi?

The Authorization To Disclose PHI is a crucial document in U.S. healthcare privacy compliance. Required by HIPAA and state privacy laws, this authorization form serves as the patient's explicit permission for sharing their protected health information. It's necessary whenever protected health information needs to be shared with parties other than for treatment, payment, or healthcare operations. The document must specify what information can be shared, with whom, for what purpose, and for how long. It must also inform patients of their right to revoke the authorization and any potential for redisclosure of the information.

Frequently Asked Questions

Is an Authorization to Disclose PHI legally binding under HIPAA in the United States?

Yes, an Authorization to Disclose PHI is legally binding under the HIPAA Privacy Rule in the United States. Once signed by the patient, healthcare providers are legally required to follow the authorization's specific terms and limitations. The authorization creates enforceable patient rights and provider obligations that must be honored according to federal HIPAA regulations.

Can healthcare providers share my medical information without an Authorization to Disclose PHI?

Healthcare providers can only share your medical information without authorization for treatment, payment, or healthcare operations as defined by HIPAA. Any disclosure outside these purposes requires a signed Authorization to Disclose PHI form. Violations can result in significant federal penalties and potential criminal charges under HIPAA regulations.

How long does it take to properly complete an Authorization to Disclose PHI form?

Completing an Authorization to Disclose PHI form typically takes 10-15 minutes when all required information is available. The process involves specifying exact information to be disclosed, identifying recipients, setting expiration dates, and obtaining proper signatures. Review time may add several minutes to ensure all HIPAA-required elements are correctly included.

Which specific elements must be included in a HIPAA-compliant Authorization to Disclose PHI?

Under HIPAA, the authorization must include: specific PHI to be disclosed, purpose of disclosure, authorized recipients, expiration date or event, patient's right to revoke, and consequences of refusing to sign. The form must also include the patient's signature, date, and if applicable, personal representative authority documentation to meet federal compliance requirements.

How does an Authorization to Disclose PHI differ from a medical records release form?

An Authorization to Disclose PHI is the HIPAA-compliant federal standard that replaced general medical records release forms. While medical records releases may still be used informally, only HIPAA authorizations provide legal protection under federal law. The HIPAA authorization has specific required elements and formatting that general release forms typically lack.

Can patients revoke an Authorization to Disclose PHI after signing it?

Yes, patients can revoke an Authorization to Disclose PHI at any time by submitting written notice to the healthcare provider. However, the revocation cannot affect disclosures already made in reliance on the authorization before revocation. Healthcare providers must honor the revocation for all future disclosures once they receive proper written notice.

Which common mistakes invalidate an Authorization to Disclose PHI under HIPAA?

Common invalidating mistakes include missing expiration dates, vague descriptions of information to be disclosed, failing to specify authorized recipients, missing required patient rights statements, or using outdated non-HIPAA compliant forms. Additionally, blank signature lines, missing dates, or unauthorized person signatures will make the authorization legally invalid under federal HIPAA requirements.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Release of Information Form

Sector

Business

Cost

Free to use

Last updated

About the Authorization To Disclose Phi

An Authorization To Disclose PHI (Protected Health Information) is a legal document required under United States federal law that allows healthcare providers to share your medical information with specific third parties. Under the HIPAA Privacy Rule, healthcare providers cannot disclose your protected health information without your explicit written authorization, except for treatment, payment, and healthcare operations.

When do you need this document?

You need an Authorization To Disclose PHI whenever your medical information must be shared outside the standard healthcare framework. This includes sharing medical records with insurance companies for disability claims, providing health information to employers for workplace accommodations, releasing medical data to attorneys for legal proceedings, or allowing family members access to your health records. Healthcare providers also require this authorization when sharing information for research purposes, marketing activities, or with third-party services not directly involved in your care.

Key legal considerations

The authorization must include specific required elements to be legally valid under HIPAA. You must clearly identify what specific health information can be disclosed, who is authorized to receive it, and the purpose for the disclosure. The document must specify an expiration date or triggering event that ends the authorization. Importantly, you retain the right to revoke the authorization at any time by providing written notice to your healthcare provider, though this doesn't affect disclosures already made. The form must also warn you that the recipient may redisclose your information and that redisclosed information may not be protected by federal privacy rules. Healthcare providers cannot condition treatment on your signing an authorization, except in limited circumstances like research studies or when treatment is specifically to provide health information to a third party.

Legal requirements in United States

Under the HIPAA Privacy Rule, all authorizations must be written in plain language and include core elements such as patient identification, description of information to be disclosed, identification of authorized recipients, purpose of disclosure, expiration date, and patient signature with date. The HITECH Act strengthened these requirements by imposing stricter penalties for violations and requiring breach notifications. State laws may impose additional requirements beyond federal HIPAA standards, so compliance with both federal and state regulations is essential. Healthcare providers must retain signed authorizations and provide copies to patients upon request. The authorization becomes part of the medical record and must be maintained according to federal and state record retention requirements. Violations of these requirements can result in significant civil and criminal penalties under HIPAA enforcement rules.

GOVERNING LAW

Applicable law

This Authorization To Disclose Phi is drafted to comply with United States law. Key legislation includes:

HIPAA Privacy Rule: Primary federal regulation governing the use and disclosure of protected health information (PHI), establishing standards for patient privacy rights and authorization requirements

HIPAA Security Rule: Sets national standards for securing electronic protected health information, including technical, physical, and administrative safeguards

HIPAA Enforcement Rule: Establishes procedures for compliance and investigations, along with penalties for violations of HIPAA Privacy and Security Rules

HITECH Act: 2009 legislation that strengthens privacy and security protections for health information and strengthens the enforcement of HIPAA rules

State Privacy Laws: State-specific regulations that may impose additional or stricter requirements for health information privacy and disclosure authorization

42 CFR Part 2: Federal regulations providing additional privacy protections for substance use disorder treatment records

Plain Language Requirement: Authorization must be written in clear, understandable language avoiding complex legal terminology

PHI Description Requirement: Authorization must specifically describe what protected health information will be disclosed

Disclosure Parties Identification: Authorization must clearly identify who is authorized to disclose the information and who will receive it

Expiration Requirement: Authorization must include either an expiration date or expiration event

Revocation Rights: Authorization must include a statement explaining the individual's right to revoke the authorization

Redisclosure Notice: Authorization must include a statement that information may be subject to redisclosure by the recipient

Signature Requirements: Authorization must include the individual's signature and date of signing to be valid

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it