7 times you need to use a HIPAA medical records release form

7 times you need to use a HIPAA medical records release form


According to the U.S. Department of Health & Human Services (HHS), as of mid 2018, that’s how many HIPAA violations have been investigated. Almost 70 percent of these investigations resulted in corrective action.

Such corrective actions include penalties that can cost as much as $50,000 per violation and up to $1.5 million per violation type.

The worst part is, you don’t have to know you’re doing anything wrong in order to be fined. According to HHS, a first-tier offense is “a violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.” Basically, even if you couldn’t have avoided it, you can still be fined for it.

One way to avoid being fined is by correctly using HIPAA medical records release forms. Let’s look at seven instances that require signed release forms from your patients.

Pro Tip

Create online HIPAA-friendly medical release forms for your practice with Jotform. Collect patient information and e-signatures from any device.

1. When a third party requests PHI

There are a lot of reasons why a third party may need to request protected health information (PHI). For example, an insurance company may need to underwrite a new life insurance policy or a family member may need to help make treatment decisions.

In these cases, you’ll need to have your patient sign a HIPAA medical records release form. This will protect the patient’s PHI and protect your organization from noncompliance.

The exceptions

You don’t need to have a signed form when releasing PHI to

  • Health insurance for prior authorization
  • The claims department for claims payment
  • A treating physician or facility

These are all part of standard healthcare operations and don’t require a signed release form. In these cases, requiring a release form could actually do more harm since it could delay payments and compromise patient care.

2. When PHI is used for marketing or fundraising

Generally, you shouldn’t share any identifying information on social media. If people could even remotely connect the dots back to the patient, you’re violating HIPAA. The same goes for your marketing and fundraising efforts.

But there are some exceptions. For example, children’s hospitals can, and often do, show recovering children in their commercials when they request donations. Or if a patient underwent a cosmetic or corrective treatment, they might be asked to provide a video or written testimonial.

In these cases, the patient must sign a HIPAA medical records release form first.

The exceptions

If the patient shares their experience face to face, they don’t need to sign a release form. For example, a patient who appears at an event and discusses their experience wouldn’t need to sign a form.

3. Before sharing PHI with a research group

Without access to medical records, researchers have trouble making breakthroughs. But before sharing PHI with researchers, your patient will need to sign a HIPAA medical records release form.

4. When the patient’s release form has expired

Normally, release forms fulfill one-time needs, such as releasing information to a family member in connection with a specific procedure. In some cases, the form may even have an expiration date attached to it to make sure it isn’t misused in the future.

If a release form has expired, or you have to use it for something that goes beyond its original purpose, then you need to have the patient sign a new form.

5. When the patient revokes a previously signed form

A patient can revoke their release form at any time. If they decide to revoke a release form, then you’ll need them to sign a new one before sharing their PHI.

6. When the form is incomplete or inaccurate

Every form should be checked for completeness and accuracy. If it’s missing information, then your patient will need to complete a new release form.

If an incomplete or inaccurate form does slip through, stop using it immediately and get a new form signed.

7. When permission is given in conjunction with other permissions

This one is tricky. It’s no surprise that some industries sneak clauses into a long form or statement, knowing that most people will sign without reading the whole thing.

This is strictly prohibited under HIPAA law. Your HIPAA medical records release form can’t be combined with any other authorizations.

If you mistakenly combined your forms or permissions, then you’ll need to get a new form signed for the purpose of sharing medical records.

Simplify patient intake with electronic HIPAA-friendly medical records release forms

The penalties for HIPAA violations are steep. Some healthcare providers can’t afford even one fine. To protect yourself and your patients, you need to be aware of the situations that require a signed release form.

Many practices have found that electronic forms help them maintain complete and accurate forms for their records. Learn how HIPAA-friendly forms can become part of the patient intake process.

Just so you know

If your organization is fighting against COVID-19, you can apply for a free, unlimited, HIPAA-friendly Jotform account with our Coronavirus Responder Program.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Create documents and collect e-signatures with Jotform Sign.

Create documents and collect e-signatures with Jotform Sign.

Get Started NowIt’s Free! Not now