Third party request to release patient information – HIPAA

The following question and answer was rececently published in HcPro’s HIPAA Weekly Advisor, a free, weekly e-mail newsletter brought to you by HcPro’s premium monthly newsletter Briefings on HIPAA:


Q: If a third party, such as an insurance company, requests that we release patient information, should we deny sending patient records if the request doesn’t include the following statement required by HIPAA?

“I understand that I may refuse to sign this authorization and that my refusal to sign will not affect my ability to obtain treatment or payment, enrollment, or my eligibility for benefits.”

A: Authorization is not necessary if you are releasing information to an insurance company that is paying for the individual’s healthcare.

The privacy rule permits disclosure of PHI for treatment, payment, and healthcare operations without authorization.

If you are disclosing information for other purposes, a valid authorization is necessary, unless the disclosure is required by law. For example, if a life insurance company requests information, HIPAA requires authorization, because the life insurance company does not pay for healthcare services.

To be valid under the privacy rule, an authorization must contain at least the following core elements:

  • The name of the institution/individual authorized to release the information
  • The name of the institution/individual authorized to receive the information
  • A description of the information to be disclosed that identifies the information in a specific and meaningful fashion, including dates of treatment
  • A description of each purpose for the requested use or disclosure
  • An expiration date, or an expiration event, that relates to the patient or the purpose of the request
  • The signature of the patient (or his or her personal representative) and the date signed
  • A description of the representative’s authority to act on the patient’s behalf (if the patient’s personal representative signs the authorization)

In addition to these core elements, a valid authorization also must contain the following:

  • Statement of the patient’s right to revoke the authorization in writing and exceptions to the right to revoke, together with a description of how the patient may revoke the authorization
  • Statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on whether the individual signs the authorization
  • Statement that the information disclosed may be subject to redisclosure by the recipient and no longer be protected by state or federal law or regulations

Editor’s note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.


Have questions? I’m here to help.