A medical release is a signed document that gives a healthcare provider permission to share your protected health information with a specific person or organization. Without one, federal privacy law (HIPAA) generally prevents doctors, hospitals, and insurance plans from disclosing your records to outside parties. You’ll encounter these forms in a wide range of situations, from transferring to a new doctor to filing an insurance claim or providing records for a lawsuit.
How a Medical Release Works
Under HIPAA, your health information is considered “protected” and can only be shared in limited circumstances. A medical release, formally called a HIPAA authorization, permits but does not require a healthcare provider to disclose your records to whoever you specify. This is different from your general right to access your own records, which providers are legally obligated to fulfill without a formal authorization. The release is specifically for situations where your information needs to go to a third party: an attorney, another doctor outside your care team, an employer, or an insurer.
The key distinction is control. You decide who gets your information, what information they get, and for how long. No one can condition your medical treatment, insurance enrollment, or eligibility for benefits on whether you sign a release.
What a Valid Release Must Include
For a medical release to be legally valid under HIPAA, it needs several specific elements. Missing any of these can make the form unenforceable:
- Who can disclose and who can receive: The form must name both the provider sharing the information and the person or organization receiving it.
- Description of the information: A specific, meaningful description of what health information is being released, not just “all records.”
- Purpose of the disclosure: Why the information is being shared (for a legal case, insurance claim, etc.).
- Expiration date or event: A clear endpoint, such as a specific date or a triggering event like the conclusion of a lawsuit.
- Your signature and the date: The authorization must be signed by you (or your legal representative).
- Right to revoke: The form must explain that you can cancel the authorization and describe how to do so.
- Conditions statement: Language confirming that your treatment or benefits won’t depend on whether you sign.
If someone hands you a release form that’s missing any of these elements, it’s not a valid authorization, and a provider isn’t supposed to act on it.
Common Situations That Require One
The most frequent scenario is a legal proceeding. Courts across the country use standardized HIPAA-compliant release forms designed for litigation. New York State, for example, developed a standard form in collaboration with medical providers and the legal community specifically for releasing health records in court cases. These forms can also be used before a lawsuit is formally filed, whenever an attorney needs medical documentation to evaluate or build a case.
Other common situations include transferring records to a new specialist who isn’t already part of your care team, sharing information with a life or disability insurance company, providing documentation for a workers’ compensation claim, or allowing a family member to communicate with your providers on your behalf. The scope can range from a single test result to your entire medical record, including office notes, imaging studies, billing records, insurance records, and documents sent by other providers.
When a Release Is Not Required
Your providers can share your health information without your signed authorization in several important situations. The biggest category is treatment, payment, and healthcare operations. When your primary care doctor refers you to a specialist, those two providers can exchange your records without a release. When a hospital submits a claim to your insurance company, no authorization is needed. Quality assurance reviews, fraud detection, credentialing, and care coordination all fall under this umbrella too.
Providers can also disclose information without authorization in certain public interest situations, such as reporting communicable diseases to health departments or responding to a court order. The point of the release form is to cover situations that fall outside these built-in exceptions, where an outside party wants access to your records and there’s no other legal basis for sharing them.
How to Revoke a Medical Release
You can cancel any authorization you’ve signed at any time. The revocation must be in writing, and it takes effect the moment the healthcare provider receives it, not when you send it or when a third party (like your attorney) gets a copy. If you submitted the release through a lawyer or another intermediary, make sure the revocation goes directly to the provider who holds your records.
There’s one important limitation: revoking your authorization doesn’t undo disclosures that already happened. If the provider already shared your records in good faith while the release was active, that disclosure stands. The release form itself is required to explain the revocation process clearly, either on the form or by directing you to the provider’s privacy practices notice.
Fees for Releasing Records
Providers can charge you a reasonable, cost-based fee when you request copies of your records, but HIPAA limits what those fees can cover. The allowable costs include labor for copying (paper or electronic), supplies like a CD or USB drive if you request portable media, and postage if you want copies mailed. If you agree to receive a summary instead of full records, the provider can also charge for preparing that summary.
Providers cannot fold in the cost of searching for your records, maintaining their data systems, verifying your identity, or any infrastructure expenses, even if state law would otherwise allow those charges. Some states set their own per-page caps or annual fee schedules. South Carolina, for instance, adjusts its maximum fee annually based on the regional Consumer Price Index. If a provider’s charges seem unusually high, it’s worth checking your state’s specific rules.
Your Right to Access vs. a Release
There’s an important difference between requesting your own records and authorizing someone else to receive them. You have a legal, enforceable right under HIPAA to see and receive copies of your health information. Providers must fulfill this request; it’s not optional on their part. For this type of request, a provider cannot require you to fill out a formal HIPAA authorization form, because the authorization asks for more information than is necessary and could create an obstacle to exercising your access rights.
This matters in practice. If you’re simply requesting your own records, or directing a copy to a third party as part of your access rights, the provider should process that under the access rules, not treat it like a third-party disclosure requiring a full authorization. If a provider insists on a HIPAA authorization just for you to see your own chart, that’s a red flag. Federal guidance is clear that this kind of requirement can be an impermissible barrier to your rights.
Digital Records and Information Blocking
Federal rules under the 21st Century Cures Act now prohibit “information blocking,” meaning healthcare providers and health IT companies cannot unreasonably delay or restrict the flow of electronic health information. When you or someone you’ve authorized requests records electronically, the provider must fulfill that request without unnecessary delay and in a format that’s usable. If the requested technology or standard isn’t available, the provider must work through a priority list of alternative digital formats before falling back to less accessible options. These rules reinforce the principle that your health information belongs to you, and the systems holding it shouldn’t create unnecessary friction when you need it released.