Authorization for Use and Disclosure of Protected Health Information

Due to changes in federal law, a revised release of information disclosure form must be used for all requests for personal health information.

Please print this form, fill it out completely and take it to your physician clinic or our Medical Release of Information Office.

The federal government published the standards for privacy of individually identified health information on December 28, 2000. These standards are also known as the HIPAA privacy rule. The rule establishes standards for information disclosure - including what constitutes a valid authorization. Below is an overview of this information for future reference. As of April 14, 2003, each hospital will need to comply with the new HIPAA rules.

The central HIPAA rule (Section 164.508) pertaining to the release of health information states that a valid authorization for the release of patient information must be in plain language and contain the following elements:

  • A specific and meaningful description of the information to be disclosed
  • the name of the covered entity (hospital) or individual authorized to make the disclosure
  • the name of the covered entity or person to whom the hospital or individual can make the disclosure
  • an expiration date or event that relates to the individual or the purpose of the use or disclosure
  • a statement of the individual's right to revoke the authorization in writing
  • a statement about the exceptions to the right to revoke
  • a description of how the individual may revoke the authorization
  • a statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by the rule
  • signature of the individual
  • the date
  • if the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual.

The authorization for release of information is not valid, according to the privacy rule, if the authorization has any of the following defects:

  • the expiration date or event has passed
  • the authorization has not been filled out completely with respect to the required content listed above
  • the authorization is known by the covered entity to have been revoked
  • the authorization is a prohibited type of compound authorization (must not be combined with any other document or request)
  • any material information in the authorization is known by the hospital to be false.