ΊΪΑΟΚΣΖ΅

Book a demo

Medical Records Release Form Template for England and Wales

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Medical Records Release Form?

A medical records release form authorises a healthcare provider to share a patient's health records with a specified third party, providing the legal basis required under the UK GDPR and the common law duty of confidentiality. In England and Wales, health data is special category data and may only be released with explicit patient consent or under a recognised legal exception. A clear, well-drafted release form protects both the provider from data protection liability and the patient's right to control their own health information.

Frequently Asked Questions

What is a medical records release form used for in England and Wales?

It is a written authorisation from a patient allowing their healthcare provider to release a copy of their medical records to a named third party, such as a solicitor, insurer, employer, or another clinician. It gives the provider a documented lawful basis for disclosure under the UK GDPR and the common law duty of confidentiality. Without it, releasing records to a third party could be a data protection breach.

What information must be on a medical records release form?

The form should state the patient's full name, date of birth, and NHS number, the name and address of the recipient, the type and date range of records being released, the purpose of the disclosure, the patient's dated signature, and a statement that the patient understands they may withdraw consent at any time before the records are released. The form should also note any exclusions the patient has specified.

Can a patient access their own medical records in England and Wales?

Yes. Patients have a right of access to their own health records under the UK GDPR. A request can be made verbally or in writing directly to the data controller (typically the GP practice or NHS trust). Providers must respond within one calendar month. Access may be restricted only where disclosure would cause serious harm to the patient or to third parties named in the record.

Can an employer access an employee's medical records through a release form?

Only with the employee's explicit consent under the Access to Medical Reports Act 1988 and the UK GDPR. Even with consent, the employee has the right to see a medical report prepared by their own GP before it is sent, to request amendments, and to withdraw consent. Employers cannot compel employees to sign a medical release form as a condition of employment without specific legal justification.

What happens to medical records of a deceased patient?

After death, access is governed primarily by the Access to Health Records Act 1990. Personal representatives (executors or administrators of the estate) and those with a claim arising from the death may apply for access. The UK GDPR does not apply to deceased individuals, but the common law duty of confidentiality continues after death. Clinicians may still exercise discretion in granting access.

How should a medical records release form be retained by the healthcare provider?

The release form should be kept as part of the patient's medical record, documenting the lawful basis for the disclosure. NHS guidance recommends retaining adult records for a minimum of eight years from the last treatment date. The provider should also keep a record of what was released, to whom, on what date, and under which authorisation. This audit trail protects the provider in the event of a complaint.

Can a release form be used to share records across NHS trusts?

Sharing between NHS bodies for direct care purposes may be done under the Health and Social Care (Safety and Quality) Act 2015 provisions and NHS information governance policies without requiring a separate release form for each transfer. However, where records are being shared for non-direct care purposes (such as research, insurance, or legal proceedings), explicit patient consent is required through a properly completed release form.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Reviewed by

&

Publisher

GenieAI

Category

Authorization Form

Sector

Business

Cost

Free to use

Last updated

About the Medical Records Release Form

A Medical Records Release Form is a critical legal document that authorizes healthcare providers to share your protected health information (PHI) with specified third parties. Under United States federal law, particularly HIPAA, your medical records are strictly protected, and healthcare providers cannot share this information without your explicit written authorization, except in limited circumstances defined by law.

When do you need this document?

You need a Medical Records Release Form whenever you want your healthcare information shared beyond your primary care team. This includes transferring care to a new doctor, providing records to insurance companies for claims processing, sharing information with family members or caregivers, submitting medical documentation for disability claims, or providing records for legal proceedings. The form is also essential when seeking second opinions, applying for life insurance, or coordinating care between multiple healthcare providers. Without proper authorization, healthcare providers face significant legal penalties for unauthorized disclosure of your medical information.

Key legal considerations

The form must include specific elements to be legally valid under HIPAA regulations. You must clearly identify what information can be released, who can receive it, and the purpose for disclosure. The authorization must specify an expiration date or event that terminates the release. You retain the right to revoke authorization at any time, though this doesn't affect information already disclosed. Special protections apply to sensitive records like mental health treatment, substance abuse records under 42 CFR Part 2, and HIV/AIDS information, which may require separate authorizations. The form must include a statement about your rights and potential consequences of signing, including whether treatment can be conditioned on signing the authorization.

Legal requirements in United States

Federal HIPAA Privacy Rule establishes minimum standards for medical records release, but individual states may impose additional requirements that provide greater patient protections. The HITECH Act strengthens these protections and includes breach notification requirements. State laws vary regarding specific formatting requirements, witness signatures, notarization, and time limits for providing requested records. Some states require specific language about patient rights or impose stricter standards for certain types of medical information. The 21st Century Cures Act addresses electronic health information access and prohibits information blocking by healthcare providers. Healthcare providers must maintain records of all disclosures and provide patients with an accounting of disclosures upon request, as required by federal and state regulations.

GOVERNING LAW

Applicable law

This Medical Records Release Form is drafted to comply with England and Wales law. Key legislation includes:

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it