HIPAA authorization
A standalone release that lets your designated persons receive protected health information from your providers. Often overlooked, and often the reason family members get stonewalled during a medical crisis.
The Privacy Rule (45 CFR § 164.508) prohibits healthcare providers from disclosing your protected health information (PHI) to anyone except you unless you have authorized the disclosure in writing. This is separate from — and complementary to — your healthcare power of attorney.
Why the healthcare alone is not enough: the POA empowers your agent to make decisions when you cannot, but it does not automatically authorize providers to share information with anyone else. A family member who is not your agent may still be stonewalled at the front desk without a HIPAA authorization naming them.
A HIPAA authorization must identify the PHI to be released, name the persons authorized to receive it, describe the purpose, and include an expiration date or event. Department of Health and Human Services sample forms are widely available, and most hospitals keep their own version you can sign on admission.
Practical pattern: name your healthcare agent AND anyone else who should be able to get status updates (adult children, siblings, close friends). Scope it broadly to "all medical information" and date it to expire only on revocation or death — narrow or time-limited authorizations cause confusion.
Tagged 🟢 because it is a single-page standalone form, the federal regulation is explicit about what it needs to contain, and there is no state-law variation that makes it risky.
State-specific notes
HIPAA is federal — the same rules apply in every state. The authorization must be in plain language, identify the persons authorized, describe the PHI, state the purpose, include an expiration, and contain the statutory revocation and re-disclosure warnings.
Virginia has no additional privacy requirements above HIPAA for standard medical authorizations. Mental-health and substance-abuse records have stricter federal rules (42 CFR Part 2 for SUD records); if relevant, your authorization must specifically reference those records.
West Virginia similarly defers to the federal HIPAA rule. Same Part 2 carveout for SUD records.
Federal HIPAA (45 C.F.R. § 164.508) controls release of PHI and applies uniformly in Alabama — no state-specific variance for the core authorization. Alabama has separate mental-health confidentiality protections (Ala. Code § 22-56-10) and HIV/AIDS record rules (Ala. Admin. Code r. 420-4-1) that may require additional specific language. Commonly paired with the Alabama Advance Directive for Health Care (Ala. Code § 22-8A-4).
References
Draft this document
The builder walks you through each field, saves a draft you can return to, and produces a print-ready document. Not legal advice; review the finished draft before signing.