Purpose

This guide explains how to legally authorize a trusted friend, family member, or representative to access your medical records from your doctor or healthcare provider under HIPAA regulations.

Key Methods for Authorization

1. HIPAA Authorization Form (Most Common)

A HIPAA authorization form is a legal document that allows you to give permission to specific individuals to access your medical records and discuss your health with doctors and healthcare providers.

When Required:

  • Before protected health information (PHI) can be shared with anyone for reasons other than treatment, payment, or healthcare operations
  • When you want a friend or family member to pick up medical records on your behalf
  • When you need someone to discuss your medical condition with your doctors

How to Obtain:

  • Request a form from your doctor’s office or healthcare facility
  • Download templates from healthcare providers or HIPAA compliance websites
  • Some states have specific form requirements

2. Healthcare Power of Attorney (POA)

A Healthcare Power of Attorney designates a “personal representative” who has broader authority under HIPAA to act on your behalf in making healthcare decisions and accessing medical records.

Advantages:

  • Provides comprehensive authority beyond just record access
  • Can include authority to make medical decisions
  • Can be set to take effect immediately (not just when incapacitated)
  • Legal document recognized across healthcare settings

Recommendation: Grant authority to act immediately so the agent can request medical records even if you haven’t been proven incapacitated.

3. Proxy Access Through Patient Portals

Many healthcare providers offer proxy access through online patient portals, allowing you to share digital access to your medical records.

How It Works:

  • Log into your patient portal account
  • Add the person as an authorized proxy
  • They receive their own login credentials
  • They can view records, test results, and sometimes communicate with providers

Limitations: Only provides access through that specific healthcare system’s portal.

4. Direct Patient Request

You have the right to request that your records be shared or directed to a designated person or institution.

Process:

  • Send a written request to your healthcare provider
  • Specify who should receive the records
  • Include your signature and authorization details

This is often the simplest method for one-time record sharing.

5. Verbal Authorization (Limited Circumstances)

Under HIPAA Privacy Rule 45 CFR 164.510(b), healthcare providers can share information with family members, friends, or others you identify if:

  • The information is directly relevant to their involvement in your care or payment
  • You provide verbal permission or don’t object when given the opportunity
  • You’re present or otherwise available

Limitations: Only for information directly relevant to that person’s involvement in your care, not for full medical record access.

Required Elements in a HIPAA Authorization Form

Every valid HIPAA authorization form must include:

Patient Information

  • Full name, date of birth, and address

Provider/Facility Information

  • Name of the doctor, hospital, or medical facility releasing the records

Recipient Information

  • Complete name of the individual or organization receiving the records
  • Appropriate address

Description of Information

  • Specific types of records being released (medical history, lab results, imaging, etc.)
  • Date ranges if applicable

Purpose of Disclosure

  • Clear reason for sharing (e.g., “at my request,” “continuing care,” “legal representation”)

Expiration Date or Event

  • Specific date when authorization expires
  • OR a specific event that triggers expiration (e.g., “upon completion of treatment”)

Sensitive Information (Special Authorization Required)

Information requiring specific initials or separate authorization:

  • Alcohol and drug abuse treatment records
  • Mental health treatment records (except psychotherapy notes)
  • Confidential HIV-related information

Patient Rights Disclosure

The form must inform you of:

  • Your right to revoke the authorization and how to do so
  • Your right to be free from retaliation for refusing to sign
  • That signing is voluntary
  • That your treatment cannot be conditioned on signing (except in specific legal circumstances)

Signature and Date

  • Patient signature (or legal representative)
  • Date signed

Important Considerations

Revocation Rights

  • You can revoke or change authorization at any time
  • Submit written notice to the healthcare provider
  • Revocation doesn’t affect information already disclosed

State Variations

  • Some states have additional requirements beyond federal HIPAA
  • Check with your healthcare provider about state-specific forms
  • State laws must be at least as protective as HIPAA

Special Circumstances

  • Minors: Parents/guardians typically have automatic access, but laws vary by state and situation
  • Deceased Patients: Different rules apply; personal representatives may need additional documentation
  • Incapacitated Patients: Healthcare POA or legal guardianship documentation required

Privacy and Security

  • Only authorize access to the minimum information necessary
  • Specify limited time periods when possible
  • Keep copies of all authorization forms
  • Monitor who has access and revoke when no longer needed

Practical Steps to Authorize a Friend

  1. Contact your doctor’s office and ask for a “HIPAA authorization form” or “medical records release form”

  2. Complete the form including:

    • Your full information
    • Your friend’s complete name and contact information
    • What specific records they can access
    • The purpose of the authorization
    • How long the authorization is valid

  3. Include special authorizations if applicable (mental health, substance abuse, HIV-related information)

  4. Sign and date the form

  5. Submit to your healthcare provider (in person, by mail, or sometimes electronically)

  6. Provide your friend with identification - they’ll need to show ID when requesting records

  7. Keep a copy for your records

Common Use Cases

  • Caregiving: Elderly parent authorizing adult child to manage medical care
  • Medical Emergency Planning: Authorizing trusted friend before surgery or procedure
  • Care Coordination: Allowing family member to gather records from multiple providers
  • Legal Matters: Authorizing attorney or representative for disability, workers’ comp, or legal cases
  • Second Opinions: Authorizing release to another healthcare provider

Workflow: Agent Requesting Records on Your Behalf

When you authorize someone (agent) to get your records from a doctor’s office:

Roles

  • You (Patient): Sign the authorization form
  • Agent: Submits form and requests records
  • Doctor’s Office: Verifies authorization, releases records

Step-by-Step Process

  1. You sign the HIPAA authorization form naming your agent
  2. Agent submits the signed form to the doctor’s office via email, fax, or mail
  3. Doctor’s office verifies:
    • Authorization is complete and signed
    • Agent’s identity (may request copy of ID)
  4. Doctor’s office releases records within 30 days (can extend 30 more with written notice)

What the Provider Can and Cannot Require

Provider CAN RequireProvider CANNOT Require
Written/signed authorizationIn-person appearance
Reasonable identity verificationPatient portal as the only option
Their own form (sometimes)Burdensome or delaying obstacles

Agent Submission Methods

The agent does NOT need to appear in person. HIPAA permits submission via:

  • Email - Scanned PDF or photo of signed form
  • Fax - Still widely accepted
  • Mail - USPS or courier
  • Portal - If provider offers it (but cannot be the only option)

If Provider Creates Barriers

If the doctor’s office unreasonably delays or refuses a valid authorization, file a complaint with the HHS Office for Civil Rights. Providers have been fined for non-compliance.

Frequently Asked Questions

Is there a standard form, or must I get one from my doctor?

You don’t need to get it from your doctor. There is no single federally-mandated form. You can:

  • Download free templates from sites like HIPAA Journal, eForms, or Rocket Lawyer
  • Use your state’s official form (e.g., Texas Attorney General provides one)
  • Use any form that includes all required HIPAA elements

However, some providers prefer their own form. Best practice: call ahead to ask if they accept external forms or require their specific version.

Can I authorize other healthcare providers (specialist, physical therapist, health advisor)?

Yes, absolutely. The HIPAA authorization form works for:

  • Other doctors and specialists
  • Physical therapists, occupational therapists
  • Hospitals and clinics
  • Health advisors and care coordinators
  • Attorneys, insurance companies
  • Any person or organization you designate

In fact, doctors sending records to other treating providers (like a specialist) often don’t even need your written authorization—HIPAA permits sharing for “treatment, payment, or healthcare operations” without a signed form. But having one ensures smooth transfers.

Does my spouse have automatic access?

No automatic access under federal HIPAA. Being married does not automatically grant access to your spouse’s medical records. Your spouse needs:

  • Your explicit written authorization, OR
  • To be designated as your “personal representative” (via Healthcare Power of Attorney)

However, state laws vary:

  • New York: Spouses may be recognized as personal representatives under state law
  • Illinois: Requires Healthcare POA designation for full access
  • Florida: Requires Durable Power of Attorney for Healthcare

What providers CAN share without authorization:

  • General condition and location (e.g., “your spouse is in recovery, room 302”)
  • Information if you’re present and don’t object
  • Emergency situations

Best practice: Complete a HIPAA authorization form naming your spouse to ensure they have access when needed.

How can I submit the authorization form?

HIPAA does not mandate a specific submission method. You can submit via:

  • In person - Hand deliver to the provider’s office
  • Mail - Send via USPS or courier
  • Fax - Still widely accepted in healthcare
  • Email - If the provider accepts it (some require secure email)
  • Electronic/online - Many providers have patient portals with built-in authorization forms

Electronic signatures are valid. The HIPAA Privacy Rule explicitly allows electronic signatures, which can be as simple as:

  • Typed name
  • Checkbox acknowledgment
  • Digital signature

Who dictates the method? The provider typically sets their accepted submission methods. Some are flexible; others require specific formats. Best practice: ask your provider what they accept before submitting.

Tip: If submitting electronically, ensure you can print or save a copy of the signed form for your records.

Can the doctor refuse after I provide authorization?

Generally no—they must comply. Under HIPAA, providers must release records within 30 days of a valid authorization request. They cannot refuse because:

  • You haven’t paid your bill
  • They don’t like who you’re authorizing

Limited exceptions where refusal is allowed:

  • Psychotherapy notes (special protection)
  • Records compiled for legal proceedings
  • Research study records (during active study)
  • If disclosure could cause physical or mental harm to you
  • Prison inmate requests that could compromise safety

If improperly denied: File a complaint with HHS Office for Civil Rights. They have fined providers (e.g., $25,000 penalty against Riverside Psychiatric Medical Group) for wrongful refusal.

Sources

  1. Free Download: HIPAA Release Form
  2. HIPAA Release Forms: Everything You Need to Know
  3. HIPAA Release Form Explained
  4. Authorizations | HHS.gov
  5. 10 Things to Know About HIPAA for Families
  6. Disclosures to Family and Friends | HHS.gov
  7. HIPAA authorization form for family members: A complete guide
  8. HIPAA and State Medical Release Form Laws and Requirements
  9. Free Medical Records Release Authorization Form
  10. HIPAA and Marriage | HHS.gov
  11. Does HIPAA Apply to Spouses?
  12. Individuals’ Right under HIPAA to Access their Health Information | HHS.gov
  13. What should I do if my doctor does not give me access to my records? | HealthIT.gov
  14. Free HIPAA Authorization Form Template | Rocket Lawyer
  15. How do HIPAA authorizations apply to electronic health information exchange? | HHS.gov
  16. Can E-Signatures Be Used Under HIPAA Rules?
  17. What are the HIPAA e-Signature Requirements?
  18. Can an individual have their provider send PHI to a third party? | HHS.gov
  19. Navigating the HIPAA Individual Right to Access
  20. How to Get Your Health Records | HealthIT.gov