Create Document
Fill & Sign
Adobe PDF
Microsoft Word
OpenDocument
By Type (4)
Covered Entities
Healthcare providers that transmit medical records electronically are considered covered entities and must comply with HIPAA’s rules when sharing or using protected health information (PHI).
Fees ($)
When an individual requests access to their medical files or asks for their records to be forwarded to a third party, the covered entity can charge a “reasonable, cost-based fee” to pay for the following[1]:
- Labor – Costs of labor for making copies, whether in paper or electronic format.
- Supplies – Expenses for supplies required to produce copies.
- Postage – Costs associated with sending physical copies.
- Preparation – Costs associated with preparing a description of medical records (must be agreed to beforehand).
HIPAA Requirements for Authorization
Generally, covered entities must obtain the patient’s approval before sharing PHI for marketing purposes or other reasons that require patient authorization under HIPAA’s privacy rule.[2] To authorize a disclosure, patients will need to sign a release form that contains the following[3]:
- The name of each person or entity allowed to release the patient’s records
- The receiving party’s name or identifying information
- A description of the medical records to be used or disclosed
- An explanation of the reason for the release
- The date or event upon which the patient’s authorization expires
- The patient’s signature with the date
The release must also include certain disclosures, including that[4]:
- The patient can revoke the release (revocation instructions and exceptions must be included)
- The patient’s health care won’t be affected if they choose not to authorize the release
- The released information may be redisclosed by the recipient and no longer protected by HIPAA