HIPAA rule (Section 164.508) pertaining to the release of health information states that a valid authorization for the release of patient information must be in plain language and contain the following elements:

• A specific and meaningful description of the information to be disclosed
• The name of the covered entity (hospital) or individual authorized to make the disclosure
• The name of the covered entity or person to whom the hospital or individual can make the disclosure
• An expiration date or event that relates to the individual or the purpose of the use or disclosure
• A statement of the individual’s right to revoke the authorization in writing
• A statement about the exception to the right to revoke
• A description of how the individual may revoke the authorization
• A statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by the rule
• Signature of the individual
• The date
• If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the indivual

The authorization for release of information is not valid, according to the privacy rule, if the authorization has any of the following defects:

• The expiration date or event has passed
• The authorization has not been filled out completely with respect to the required content listed above
• The authorization is known by the covered entity to have been revoked
• The authorization is a prohibited type of compound authorization (must not be combined with any other document or request)
• Any material information in the authorization is known by the hospital to be false

Note: This sample letter should not be used without review by your organization’s legal counsel to ensure compliance with hospital policies and local and sate regulations.