Guide on the disclosure of confidential information: Appendix C

A patient’s written consent to the disclosure of personal health or medical information must comply with HIPAA to be valid. This is true for all types of medical and mental health information, including psychotherapy notes, and other confidential mental health information. HIPAA requires that a covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. Many doctors and hospitals have their own release forms to use which will expedite the process.

A valid authorization to release protected health information must include:

1. A description of the information to be disclosed that identifies the information in a specific and meaningful fashion. Psychotherapy notes, genetic testing, and HIV testing must be requested specifically and separately.
2. The name of the person authorized to disclose the information.
3. The name of the person to whom the information is being disclosed. 
4. A description of the purpose of the requested disclosure. The statement "at the request of the individual" is sufficient when the individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
5. The expiration date, or a condition or event upon which the authorization terminates.
6. Signature by the minor patient or the minor patient's parent, guardian, or other authorized representative and the date. However, only the minor can consent to the disclosure of information related to a service provided to a minor without the consent of the minor's parent, guardian or other authorized representative. See AUTHORIZED REPRESENTATIVE/MINOR SECTION on pp. 27-28).
7. When the patient is NOT a minor, signature by the patient or the patient's authorized representative and the date. If it is not signed by the patient, there must be a description of how the person signing is authorized to represent the patient.
8. A statement that the consent is subject to revocation at any time and how the individual may revoke the authorization.
9. A statement that the patient understands the terms of the consent and the patient's right to obtain information about to whom the information was disclosed.
10.  A statement on the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.
11. A statement about the potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by HIPAA.
12.  If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.

Invalid Authorizations: If any one of the elements of the authorization is omitted, the release is invalid.

Check with your attorney on updates to this information which may happen at any time.