In 2023, OCR settled with a New England dermatology practice for $300,640 after it disclosed a patient's protected health information to a reporter — without a valid authorization. The practice assumed verbal permission was enough. It wasn't. This case illustrates exactly why every covered entity needs to understand what is a medical release form, what HIPAA requires it to contain, and when disclosing PHI without one can trigger enforcement action.

What Is a Medical Release Form and Why HIPAA Governs It

A medical release form — formally called a HIPAA authorization — is a document signed by a patient (or their personal representative) that gives a covered entity permission to use or disclose their protected health information for a specific purpose. Unlike consent forms or acknowledgment of the Notice of Privacy Practices, a HIPAA authorization carries strict content requirements defined under 45 CFR § 164.508.

Without a valid authorization, your organization cannot release PHI for purposes outside of treatment, payment, and healthcare operations — unless another Privacy Rule exception applies. Marketing communications, most research uses, sale of PHI, and disclosures to third parties like employers, attorneys, or insurance companies outside the TPO framework all require one.

The Six Required Elements Every Authorization Must Include

OCR has made clear that a medical release form missing even one required element is not valid — and acting on it exposes your organization to a HIPAA violation. Under 45 CFR § 164.508(c), every authorization must contain:

  • Specific description of the PHI to be used or disclosed — not a blanket statement covering "all medical records."
  • Name or identification of the person(s) authorized to make the disclosure.
  • Name or identification of the person(s) to whom the covered entity may disclose the information.
  • Description of the purpose of the requested use or disclosure. If the patient initiates the request, "at the request of the individual" is sufficient.
  • Expiration date or event — an authorization that says "indefinitely" with no triggering event may be invalid depending on the context.
  • Signature and date of the individual or their authorized representative.

In addition, the form must include statements informing the patient of their right to revoke the authorization, whether treatment or benefits can be conditioned on signing, and the potential for re-disclosure by the recipient.

Common Authorization Mistakes That Trigger OCR Scrutiny

Healthcare organizations consistently struggle with three authorization pitfalls that I see repeatedly in compliance audits.

Using Overly Broad Language

A medical release form that authorizes disclosure of "any and all records" without specifying the type of PHI, the timeframe, or the purpose fails the minimum necessary standard in spirit — and may not meet the specificity requirements of § 164.508. Train your workforce to complete authorizations with precise descriptions.

Failing to Honor Revocations

Patients have the right to revoke an authorization in writing at any time. Your organization must have a documented process for receiving, processing, and acting on revocations before the next disclosure occurs. OCR investigates complaints in this area more often than you might expect.

Conditioning Treatment on Authorization

Under the Privacy Rule, a covered entity generally cannot condition treatment on a patient signing an authorization. There are narrow exceptions — such as research-related treatment or pre-enrollment health screenings — but outside those, requiring a signature before providing care is a violation.

When You Don't Need a Medical Release Form

Not every disclosure of PHI requires a signed authorization. The Privacy Rule permits disclosures without patient authorization for treatment, payment, and healthcare operations. It also permits disclosures required by law, for public health activities, to avert a serious threat to health or safety, and in several other circumstances outlined in 45 CFR § 164.512.

Understanding the boundary between authorization-required and authorization-exempt disclosures is one of the most critical competencies for your workforce. Getting this wrong in either direction — disclosing without authorization when one is needed, or unnecessarily delaying care by demanding authorization when one isn't required — creates both compliance risk and patient harm.

How Medical Release Forms Connect to Your Broader Compliance Program

A valid authorization process doesn't exist in isolation. It ties directly into your organization's risk analysis, your policies and procedures documentation, and your ongoing HIPAA training and certification program.

Every member of your workforce who handles PHI — from front-desk staff to billing departments to clinical providers — needs to know when an authorization is required, how to verify that one is valid, and what to do when a patient revokes one. This isn't a one-time orientation topic. OCR expects ongoing, role-based workforce training as part of your Security Rule and Privacy Rule compliance obligations.

If your organization hasn't reviewed its authorization forms and processes in the past 12 months, now is the time. Regulations haven't changed dramatically, but OCR enforcement priorities and breach patterns have. A business associate receiving PHI under an invalid authorization creates liability for both parties.

Build Authorization Compliance Into Workforce Training

In my work with covered entities, the organizations that avoid authorization-related complaints are the ones that make it a standing topic in annual training — not a footnote in a policy manual no one reads.

Start by auditing your current medical release form against the six required elements listed above. Then verify that your revocation procedures are documented and that staff can locate and follow them. Finally, ensure every workforce member who interacts with patients or handles disclosure requests has completed current compliance education through a program like HIPAA Certify's workforce compliance platform.

A compliant authorization process protects your patients, your organization, and your workforce. An invalid one is a liability waiting for an OCR complaint to activate it.