The Health Insurance Portability and Accountability Act (HIPAA) was enacted to protect the privacy of your medical information. While this protection is valuable, it can create a serious problem when your family members need to access your medical records or communicate with your healthcare providers on your behalf. Without a valid HIPAA authorization, hospitals, doctors, insurance companies, and pharmacies are legally prohibited from sharing your health information with anyone—including your spouse, parents, and adult children—regardless of the circumstances. A HIPAA authorization is the legal document that solves this problem by designating specific individuals who are permitted to access your protected health information.
What Is a HIPAA Authorization?
A HIPAA authorization is a written document in which you (the patient) grant specific individuals permission to receive, review, and discuss your protected health information (PHI) with your healthcare providers, insurance companies, pharmacies, and other covered entities. Under federal law (45 CFR § 164.508), a valid HIPAA authorization must contain several required elements, including a description of the information to be disclosed, the persons authorized to receive the information, the purpose of the disclosure, an expiration date or event, and your signature.
In the estate planning context, a HIPAA authorization is typically drafted as a broad, durable document that allows designated family members and fiduciaries to access your medical information for the purpose of making healthcare decisions, managing your care, coordinating with insurance, and assisting with estate administration. Without this document, even your healthcare power of attorney agent may face delays or outright refusal when requesting your medical records or trying to discuss your treatment with your doctors.
A covered entity may not use or disclose protected health information without an authorization that is valid under this section or as otherwise permitted by law. An authorization must be written in plain language and contain specific core elements including a description of information, persons authorized, purpose, expiration, and the individual's signature.
45 CFR § 164.508 — HIPAA Privacy Rule: Uses and Disclosures for Which an Authorization Is Required
A Healthcare Power of Attorney May Not Be Enough
Many people assume that naming a healthcare agent through a healthcare power of attorney automatically gives that person access to their medical records. This is a dangerous misconception. While the HIPAA Privacy Rule does allow covered entities to disclose information to a personal representative (which may include a healthcare agent), many providers interpret this conservatively and may require a separate, signed HIPAA authorization before releasing records. Healthcare facilities, insurance companies, and pharmacies frequently demand a specific HIPAA release before sharing any information. Having a standalone HIPAA authorization eliminates ambiguity and ensures your designated individuals can access your information without delay.
Why Every Adult Needs a HIPAA Authorization
The need for a HIPAA authorization becomes apparent in moments of crisis—when a family member is rushed to the emergency room, when an aging parent's condition changes suddenly, or when you need to manage a loved one's care from across the country. Without this document, your family faces bureaucratic barriers at the worst possible time.
Real-World Scenarios Where HIPAA Authorization Is Critical
Scenario: Your adult child is in a serious car accident and is unconscious in the ICU. You arrive at the hospital frantic for information.
Without HIPAA authorization: The hospital cannot legally share any details about your child's condition, treatment, prognosis, or even confirm they are a patient. You may wait hours before a social worker helps navigate the situation, if at all.
With HIPAA authorization: You present your copy of the authorization, and the medical team can immediately discuss your child's condition, treatment plan, and options. You can access test results, speak with specialists, and participate in care decisions without delay.
Without HIPAA authorization: The hospital cannot legally share any details about your child's condition, treatment, prognosis, or even confirm they are a patient. You may wait hours before a social worker helps navigate the situation, if at all.
With HIPAA authorization: You present your copy of the authorization, and the medical team can immediately discuss your child's condition, treatment plan, and options. You can access test results, speak with specialists, and participate in care decisions without delay.
What Information Does a HIPAA Authorization Cover?
Protected health information (PHI) under HIPAA encompasses virtually all individually identifiable health information created, received, maintained, or transmitted by a covered entity. A properly drafted HIPAA authorization should address all categories of information your designated individuals may need to access.
This includes all records of medical examinations, diagnoses, treatments, surgeries, hospitalizations, and outpatient visits. It covers physicians' notes, nursing notes, consultation reports, operative reports, pathology reports, radiology reports, and all other clinical documentation. Authorized individuals can request complete copies of medical records from any provider, which is essential for coordinating care, seeking second opinions, or managing ongoing treatment.
Blood work, imaging studies (X-rays, MRIs, CT scans), biopsies, genetic testing, and all other diagnostic test results are protected health information. Your HIPAA authorization allows designated individuals to receive and discuss these results with your providers, which is critical for understanding your condition and making informed healthcare decisions on your behalf.
Mental health records and substance abuse treatment records receive additional federal and state protections beyond standard HIPAA rules. Under 42 CFR Part 2, substance abuse treatment records from federally assisted programs require a separate, specific authorization for release. Mental health records may also have heightened protections under Illinois law. A comprehensive HIPAA authorization should explicitly address mental health and substance abuse records if you want your designated individuals to have access to this information.
Your prescription history, current medications, dosage information, and pharmacy records are protected under HIPAA. Authorization allows your designated individuals to communicate with pharmacies about your medications, coordinate refills, review your prescription history for potential interactions, and manage medication-related insurance claims. This is particularly important for elderly individuals taking multiple medications.
Health insurance claims, explanation of benefits (EOB) statements, billing records, and payment history are all protected health information. An authorized individual can communicate with your insurance company, file claims and appeals, request coverage determinations, and resolve billing disputes on your behalf. Without authorization, insurance companies will refuse to discuss your account with anyone, even your spouse.
Illinois law provides special protections for HIV/AIDS-related information under the AIDS Confidentiality Act (410 ILCS 305/). A general HIPAA authorization may not be sufficient to release HIV-related records in Illinois. If you want your designated individuals to have access to HIV-related information, your authorization should include an explicit, specific reference to HIV/AIDS records. This additional specificity is required by Illinois statute and cannot be satisfied by general language alone.
How to Create a Valid HIPAA Authorization
Creating a HIPAA authorization that will be accepted by all healthcare providers requires compliance with federal regulations and careful attention to detail. While the document itself is not complicated, it must contain specific elements to be legally valid.
1
Identify Your Authorized Representatives
Decide who should have access to your medical information. Common choices include your spouse or partner, adult children, parents, siblings, your healthcare power of attorney agent, your estate executor, and your attorney. You can authorize different people for different purposes or grant broad access to multiple individuals. Consider who would need your medical information in various scenarios and err on the side of inclusion rather than exclusion.
2
Define the Scope of Information
Specify what health information may be disclosed. For estate planning purposes, a broad authorization covering all protected health information from all healthcare providers is typically recommended. You may also want to specifically reference mental health records, substance abuse records, HIV/AIDS status, and genetic information to ensure those specially protected categories are included if desired.
3
Include All Required Elements
Under 45 CFR 164.508, a valid authorization must contain: a description of the information to be used or disclosed, the name of the persons authorized to make the disclosure, the name of the persons authorized to receive the information, a description of the purpose of the disclosure, an expiration date or expiration event, your signature and the date, a statement of your right to revoke the authorization, a statement that information disclosed may be subject to re-disclosure, and a statement that treatment cannot be conditioned on signing the authorization.
4
Sign and Date the Authorization
HIPAA does not require witnesses or notarization for a valid authorization. However, having the document notarized or witnessed adds credibility and reduces the likelihood that a provider will question its authenticity. Many estate planning attorneys include the HIPAA authorization in the same signing ceremony as your healthcare power of attorney and living will.
5
Distribute Copies Widely
Provide copies of your signed HIPAA authorization to each authorized individual named in the document, your primary care physician, any specialists you see regularly, your pharmacy, your health insurance company, and any hospital or care facility where you receive regular treatment. Authorized individuals should carry copies with them or store them in easily accessible locations for use in emergencies.
Key Features of an Effective HIPAA Authorization
Not all HIPAA authorizations are created equal. A document drafted as part of a comprehensive estate plan will typically include several important features that a basic form may lack.
0 of 8 completed
HIPAA Authorization vs. Healthcare Power of Attorney
These two documents are frequently confused, but they serve fundamentally different functions. Understanding the distinction helps you appreciate why you need both.
| Feature | HIPAA Authorization | Healthcare Power of Attorney |
|---|---|---|
| Primary Purpose | Grants access to medical information | Grants authority to make medical decisions |
| What It Allows | Receiving, reviewing, and discussing health records | Consenting to or refusing treatment, choosing providers, making care decisions |
| When It Takes Effect | Immediately upon signing (or as specified) | Only when you are unable to make or communicate your own decisions |
| Number of People Named | Can name multiple individuals with access | Typically names one primary agent and one or two alternates |
| Governed By | Federal HIPAA Privacy Rule (45 CFR 164.508) | Illinois Health Care Surrogate Act and Power of Attorney Act |
| Survives Death | Can be drafted to survive death for estate administration | Terminates at death |
| Requires Witnesses | No (recommended but not required) | Yes (one witness required under Illinois law) |
Always Have Both Documents
A HIPAA authorization allows your family to learn about your condition. A healthcare power of attorney allows your agent to do something about it. Neither document is a substitute for the other. Together with a living will, these three documents form the foundation of your advance healthcare planning. An experienced estate planning attorney will create all three as part of a coordinated advance directive package.
Common Questions About HIPAA Authorizations
No. This is one of the most common misconceptions about HIPAA. Your spouse, no matter how long you have been married, does not have an automatic legal right to access your medical information. Healthcare providers may use their professional judgment to share information with a spouse who is present and involved in care, but they are not required to do so and many will not without written authorization. A HIPAA authorization eliminates this uncertainty.
Absolutely not. Signing a HIPAA authorization does not affect your own rights to your medical information in any way. You retain full access to all your records and full control over your healthcare decisions. The authorization simply extends access to the additional individuals you designate. You can also revoke the authorization at any time.
Healthcare providers may refuse to accept a HIPAA authorization if it does not comply with the requirements of 45 CFR 164.508 (missing required elements, expired, improperly signed) or if they believe it was obtained under duress or through fraud. Some providers have their own authorization forms and may prefer that you use their form in addition to your own. However, a properly drafted authorization that meets all federal requirements should be accepted by all covered entities. If a provider refuses a valid authorization, consult an attorney.
Every HIPAA authorization must include an expiration date or expiration event. For estate planning purposes, the authorization is typically drafted to expire upon written revocation (giving you maximum duration) or upon a specified event such as termination of the power of attorney relationship. Avoid setting a specific date that might cause the authorization to lapse when you need it most. If your authorization does expire, you must execute a new one.
HIPAA protections continue for 50 years after death. This means your medical information remains protected and cannot be shared without proper authorization even after you have passed away. If your HIPAA authorization includes post-death effectiveness language and names your executor, estate representative, or other authorized individuals, they can access your records for estate administration, insurance claims, cause-of-death determinations, and other legitimate purposes. Without such language, obtaining a deceased person's medical records can be extremely difficult.
Yes. Your HIPAA authorization should be prepared, executed, and stored alongside your other advance directives (healthcare power of attorney and living will) and your estate planning documents (will, trust, powers of attorney). Many estate planning attorneys create a comprehensive advance directive package that includes all healthcare-related documents. The signing ceremony typically includes all documents at once to ensure consistency and proper execution.
HIPAA Authorization: Essential Points
- HIPAA prevents healthcare providers from sharing your medical information with anyone—including your spouse and adult children—without your written authorization
- A healthcare power of attorney alone may not be sufficient for your agent to access your medical records; a separate HIPAA authorization eliminates ambiguity
- Parents lose automatic access to their children's medical information when the child turns 18; college-age children should sign HIPAA authorizations naming their parents
- A well-drafted authorization should be broad in scope, durable through incapacity, effective after death, and specifically reference specially protected categories like mental health and HIV records
- HIPAA protections continue for 50 years after death, making post-death authorization provisions essential for estate administration
- Distribute copies of your signed authorization to all authorized individuals, your physicians, pharmacy, insurance company, and any care facility where you receive treatment
- Review and update your HIPAA authorization whenever you update your other estate planning documents or whenever your list of authorized individuals changes
Protect Your Family's Access to Your Medical Information
A HIPAA authorization is a simple but critical document that can prevent enormous frustration, delay, and anxiety for your family during medical emergencies and ongoing care management. It costs very little to prepare but provides invaluable peace of mind knowing that the people you trust can communicate with your healthcare providers on your behalf.
Our firm includes HIPAA authorizations as part of every comprehensive estate plan we prepare for Illinois clients. We ensure your authorization is properly drafted to comply with federal and Illinois-specific requirements, broadly scoped to cover all categories of protected health information, and coordinated with your healthcare power of attorney, living will, and other advance directives. Schedule a consultation to discuss your healthcare planning needs and ensure your family has the access they need when it matters most.