← Caregiver glossary · Legal + administrative
Also: HIPAA release · HIPAA authorization form
A signed form authorizing a healthcare provider to release the patient's information to a named family member or other party. Distinct from a healthcare proxy (which gives decision-making authority); HIPAA authorization gives information access. Patients can list multiple authorized recipients.
HIPAA (Health Insurance Portability and Accountability Act) protects the patient's medical information by default. Without a signed authorization on file, a clinician's office cannot legally share information with anyone except the patient — not the spouse, not the adult child who drove the parent to the appointment, not the sibling in another state. The HIPAA authorization is the form that opens that door.
Each provider keeps its own HIPAA authorization on file. Signing one at the PCP's office does not authorize the cardiology office to talk to you; signing one at the hospital does not extend to the SNF. Families dealing with multiple specialists typically need to sign authorizations at each one. Many providers have generic forms; some require their specific form. Some accept a global multi-provider authorization (the National Council on Aging publishes a template).
The authorization can be granular: the patient can authorize release of "all medical information" or just "appointment scheduling + summaries" or specific items. The patient can name multiple recipients (spouse + 2 adult children + a hired care coordinator). The authorization can be revoked at any time in writing.
For patients who lose capacity, the healthcare proxy can sign HIPAA authorizations on their behalf — IF the proxy document explicitly grants HIPAA authority (some standard proxy forms don't include it). An elder-law attorney drafting a proxy will typically include HIPAA language; a state-form proxy may need a separate HIPAA authorization added. For patients without a proxy who lose capacity, families often need to invoke the "personal representative" rules under HIPAA — generally a guardian or a close family member — which is messier than having an authorization in place.
Necessary if the patient wants siblings, an out-of-state adult child, or a hired care coordinator to be able to speak with clinicians or receive records.
Terms families frequently confuse with hipaa authorization.
Healthcare proxy gives the named person AUTHORITY to make medical decisions for the patient. HIPAA authorization gives the named person ACCESS to the patient's medical information. Most families need both — a proxy without HIPAA authorization can decide but may struggle to get the records they need to decide well.
A POA covers financial decisions; HIPAA authorization covers medical information. A financial POA does NOT automatically grant access to medical records — that's a different domain. Many families need POA + healthcare proxy + HIPAA authorization, often all signed at the same elder-law-attorney visit.
See also: all glossary terms · conditions by name · step-by-step playbooks