Healthcare Template
Free HIPAA Authorization Form Template
A HIPAA authorization allows the release of protected health information to specified parties.
Template
Copy this markdown, replace the {{variables}}, and send via API.
# HIPAA Authorization
**Patient:** {{patientName}}
**Provider:** {{providerName}}
**Date:** {{date}}
## Information to Disclose
{{informationTypes}}
## Recipient
{{recipientName}} ({{recipientOrg}})
## Purpose
{{purpose}}
## Expiration
This authorization expires on {{expirationDate}}.
## Right to Revoke
I may revoke this authorization in writing at any time.Send for e-signature
curl -X POST https://signb.ee/api/send \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"content": "YOUR_RENDERED_MARKDOWN",
"senderName": "Your Name",
"senderEmail": "you@company.com",
"recipientName": "Recipient",
"recipientEmail": "recipient@email.com"
}'What happens next
- Signbee converts the markdown to a professional PDF
- Recipient gets an email with a signing link
- Both parties sign with an animated handwriting signature
- Both receive the signed PDF with a SHA-256 certificate
All signatures are legally binding under the ESIGN Act, eIDAS, and ECA.
More details
A HIPAA authorization form is required whenever a covered entity (healthcare provider, health plan, or healthcare clearinghouse) needs to disclose Protected Health Information (PHI) for purposes not covered by the HIPAA Privacy Rule's standard exceptions.
When is a HIPAA authorization required? HIPAA allows disclosure without authorization for treatment, payment, and healthcare operations. Everything else requires written patient authorization: sharing records with employers, life insurance companies, marketing, research, and most third-party requests.
Required elements under 45 CFR 164.508: 1. Description of information — Specific and meaningful. 'All records' is too broad. Specify: medical records from dates X to Y, lab results, imaging reports, mental health records, substance abuse records. 2. Authorised recipient — Who will receive the information. Name and organisation. 3. Purpose — Why the information is being disclosed. 'At the request of the individual' is acceptable. 4. Expiration — A specific date or event. 'No expiration' is permitted but discouraged. 5. Right to revoke — The patient can revoke at any time in writing. Revocation doesn't apply to disclosures already made. 6. Signature and date — The patient or their personal representative must sign. 7. Consequences of refusal — Treatment cannot be conditioned on signing an authorization (with limited exceptions for research).
Special categories requiring additional protections: - Psychotherapy notes: Require separate, specific authorization even from the treating provider. - Substance abuse records: Protected under 42 CFR Part 2 with stricter requirements than standard HIPAA. - HIV/AIDS status: Many states impose additional restrictions beyond HIPAA. - Genetic information: Protected under GINA with additional restrictions.
Frequently asked questions
What is a HIPAA authorization form?
A HIPAA authorization is a patient's written permission for a healthcare provider to disclose their Protected Health Information (PHI) to a specified party for a specified purpose. It's required for disclosures not covered by HIPAA's standard exceptions for treatment, payment, and healthcare operations.
Can a patient revoke a HIPAA authorization?
Yes. A patient can revoke authorization at any time in writing. However, revocation doesn't apply to disclosures already made in reliance on the original authorization. The provider must stop future disclosures upon receiving the written revocation.
Can HIPAA authorization forms be signed electronically?
Yes. Electronic signatures on HIPAA authorizations are valid under ESIGN and the HIPAA Privacy Rule. The electronic record must be tamper-proof and include a timestamp. Many healthcare providers now use electronic consent management systems.
Related resources
Send this template for signing — free, no credit card.