HIPAA Authorization Template, Free Download 2026

This Authorization for Disclosure of Protected Health Information ("Authorization") is executed by the individual identified on the signature page (the "Patient") or by the Patient's authorized personal representative, pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, and the implementing regulations set forth at 45 CFR Parts 160 and 164 (the "Privacy Rule"). The Patient is identified by full legal name, date of birth, address, and telephone number.

If this Authorization is signed by a personal representative on behalf of the Patient, the personal representative shall provide documentation of his or her authority to act on the Patient's behalf, such as a power of attorney for healthcare, court-appointed guardianship order, or, in the case of a minor Patient, proof of parental or legal guardian status, consistent with 45 CFR §164.502(g).

The Patient authorizes the healthcare provider, health plan, or other covered entity identified on the signature page (the "Disclosing Party") to disclose the Patient's protected health information ("PHI") to the individual(s) or entity(ies) identified in Exhibit A (each, an "Authorized Recipient"). The Authorized Recipient's name, address, telephone number, and relationship to the Patient are specified in Exhibit A.

The Patient acknowledges that once PHI is disclosed to an Authorized Recipient who is not a covered entity or business associate under HIPAA, the disclosed information may no longer be protected by the Privacy Rule and may be subject to further disclosure by the Authorized Recipient. The Patient assumes the risk of any subsequent use or disclosure by a non-covered Authorized Recipient.

The Patient authorizes the disclosure of the following categories of PHI, as indicated on the signature page or in Exhibit B: complete medical records; records pertaining to a specific date of service, condition, or treatment; laboratory and diagnostic test results; imaging reports; mental health records (excluding psychotherapy notes as defined in 45 CFR §164.501, unless separately authorized); substance abuse treatment records (subject to 42 CFR Part 2 requirements, if applicable); HIV/AIDS-related information; and/or billing and insurance records.

The Patient understands that the disclosure of certain categories of PHI, including substance abuse treatment records protected by 42 CFR Part 2, psychotherapy notes as defined in 45 CFR §164.501, and HIV/AIDS-related information, may require a separate or more specific authorization under federal or state law. If any such specially protected information is included in the scope of this Authorization, the Patient expressly authorizes its disclosure by checking the applicable box on the signature page.

The Patient may limit the scope of this Authorization to specific dates of service, specific healthcare providers, or specific types of information by specifying such limitations in Exhibit B. The Disclosing Party shall make reasonable efforts to comply with the Patient's stated limitations, consistent with the minimum necessary standard set forth in 45 CFR §164.502(b).

The purpose of the authorized disclosure is as specified on the signature page, which may include but is not limited to: continuity of care and treatment coordination; insurance or benefits determination; legal proceedings; personal records; employment purposes; or the Patient's own request. If the purpose is "at the request of the Patient," no further justification is required pursuant to 45 CFR §164.508(c)(1)(iv).

The Patient acknowledges that the Disclosing Party may not condition treatment, payment, enrollment in a health plan, or eligibility for benefits on the Patient's execution of this Authorization, except in the limited circumstances permitted by 45 CFR §164.508(b)(4), including when the authorization is sought in connection with research-related treatment or with enrollment in a health plan.

This Authorization shall expire on the date specified on the signature page, or upon the occurrence of the event specified therein. If no expiration date or event is stated, this Authorization shall expire twelve (12) months from the date of the Patient's signature, consistent with applicable state law. The Patient may specify a shorter or longer expiration period, subject to any maximum duration imposed by state law.

Upon expiration or revocation of this Authorization, the Disclosing Party shall cease all further disclosures of PHI under this Authorization. Expiration or revocation shall not affect the validity of any disclosures made in good-faith reliance on this Authorization prior to the Disclosing Party's receipt of notice of revocation, consistent with 45 CFR §164.508(b)(5).

The Patient has the right to revoke this Authorization at any time by submitting a written revocation to the Disclosing Party's privacy officer or designated contact at the address specified on the signature page. Revocation shall be effective upon receipt by the Disclosing Party, except to the extent that the Disclosing Party has already taken action in reliance on this Authorization prior to receiving the revocation, as permitted by 45 CFR §164.508(b)(5)(i).

The Patient understands that revocation of this Authorization does not apply to disclosures already made in reliance upon this Authorization, nor does it affect the Disclosing Party's right to use or disclose PHI obtained prior to revocation for purposes of defending against any claim or action arising from the disclosure. The Disclosing Party shall document the date and method of receipt of any revocation.

The Patient acknowledges that signing this Authorization is voluntary and that the Disclosing Party will not refuse to provide treatment or healthcare services based on the Patient's refusal to sign this Authorization, except where the disclosure is a condition of research-related treatment or health plan enrollment as permitted by 45 CFR §164.508(b)(4). The Patient understands that refusal to sign may affect the ability of third parties to process insurance claims, legal matters, or other transactions requiring access to the Patient's PHI.

The Patient acknowledges that the Disclosing Party may receive remuneration from a third party in exchange for making the authorized disclosure only if the Authorization explicitly states that such remuneration is involved, pursuant to 45 CFR §164.508(a)(4). If applicable, the involvement of remuneration is disclosed on the signature page of this Authorization.

The Patient (or the Patient's authorized personal representative) shall execute this Authorization by signing and dating the signature page. By signing, the Patient affirms that he or she has read this Authorization in its entirety, understands its terms, and authorizes the disclosure of PHI as described herein. The Patient acknowledges receipt of a signed copy of this Authorization as required by 45 CFR §164.508(c)(4).

If this Authorization is executed by a personal representative, the personal representative shall sign in his or her own name and indicate the capacity in which he or she is acting (e.g., parent, legal guardian, healthcare agent). The personal representative shall attach documentation of authority as required by the Disclosing Party. This Authorization shall be governed by federal law (HIPAA and the HITECH Act) and the laws of the state in which the Disclosing Party is located, to the extent not preempted by federal law.