Release of Information (ROI) Authorization: HIPAA Rules, Template & Sample Form

A release of information (ROI) is the written authorization a client signs before a mental health practice may disclose their records to a third party. HIPAA does not publish an official form; it mandates the content: six core elements and three required statements (45 CFR 164.508). Records staff use one whenever a disclosure is not already permitted by law. Most forms run one to two pages.

Free to use and share. No signup required.
Already have session bullets or a transcript? Generate a structured draft with BastionGPT — you review and sign it.
Who writes it

Records staff or the treating clinician; signed by the client

Audience

Client, requesting third party, privacy officer, auditors

Typical length

One to two pages, 400 to 700 words · 5 to 10 minutes by hand (clinical team estimate)

Format family

Consent and privacy form (compare: psychotherapy notes authorization, Part 2 consent)

When it's used

Before records leave the practice for any purpose HIPAA does not already permit

Standards context

The elements are law (45 CFR 164.508); no official government form exists, the layout is yours

What is a release of information (ROI) authorization?

A release of information is the written permission a client gives before a practice may disclose their health records to a third party. In HIPAA terms it is an authorization: the instrument required for any use or disclosure the Privacy Rule does not already permit. The rule behind it, 45 CFR 164.508, comes from the Privacy Rule published in December 2000 and enforceable since April 2003, and it standardizes content, not paperwork: HHS lets every practice draft its own form as long as the core elements and required statements are present, and the regulation adds that the authorization "must be written in plain language." You will also see the form called an authorization to disclose protected health information, a consent to release records, or a medical records release. "HIPAA release" is common shorthand, and imprecise, because many disclosures need no release at all.

Two boundaries do most of the work. First, an ROI is not the client's own records request: when a client asks for their chart, the access right under 45 CFR 164.524 applies, with its own 30-day clock and fee limits, and no authorization is involved. Second, an ROI never reaches psychotherapy notes: those need their own standalone psychotherapy notes authorization, which cannot be combined with any other release. A general form that quietly claims to cover them fails for the notes even where it works for everything else.

Who uses release of information forms and when

Everyone who lets records leave the practice: solo therapists, group practices, and records departments. Typical triggers are an attorney assembling a case file, a disability or life insurer, a school accommodation request, a family member the client wants involved, or coordination with someone outside the treatment relationship. The counterintuitive part is when an ROI is not legally required: HIPAA itself permits disclosures for treatment, payment, and health care operations without one (45 CFR 164.506), so sending progress notes to the psychiatrist treating your client needs no signature under federal law. Substance use disorder records under 42 CFR Part 2, psychotherapy notes, and stricter state statutes are the layers that put a form back in the workflow, and many practices require one for every disclosure as policy, which is caution, not law. The care coordination note and discharge summary pages cover the records that most often travel.

What a valid release of information includes

No official government form exists. HIPAA mandates the content: six core elements, three required statements, plain language, and a signature (45 CFR 164.508(b) and (c)). The identity fields most forms carry, date of birth, address, phone, record number, help match the right chart, but they are not legal elements, and HHS states plainly that no notarization or witness is required. One to two pages covers all of it:

  1. Client and practice identification: who the records are about, and which practice or clinician may disclose them.
  2. Description of the information: record types and a date range, in a "specific and meaningful fashion."
  3. Who may receive: the person or class, with contact details.
  4. Purpose: why, or "at the request of the individual."
  5. Expiration: a date or an event.
  6. Required statements: revocation, conditioning, redisclosure.
  7. Signature and date: the client or their personal representative.
  8. What stays off the form: psychotherapy notes and Part 2 records.

Each element in more detail, with the pitfall that most often invalidates it:

Client and practice identification. Full client name, plus the practice or clinician authorized to make the disclosure; the discloser is a core element in its own right. Pitfall: a form dense with identifiers that never names who may disclose. Date of birth and record number are matching fields, not legal elements, and a missing element voids the form while a missing identifier does not.

Description of the information. Name record types and bound them with dates, for example "progress notes and treatment summary, January through June 2026." OCR accepts "entire medical record" as sufficiently specific when that is the intent; an undefined "all protected health information" may fail, because PHI sweeps far wider than the chart. Pitfall: the catch-all phrase. Illinois goes further by statute: blanket consent to unspecified mental health information is simply invalid.

Who may receive. A named person or organization, or a class of recipients, with enough contact detail to route the records. Pitfall: recipients so vague the client cannot tell who will end up holding their information; classes are legal, ambiguity is the thing privacy officers bounce.

Purpose. State why the disclosure is happening. When the client initiates the request, HIPAA accepts "at the request of the individual" as the complete answer. Pitfall: leaving it blank; purpose is a core element, not a courtesy.

Expiration. A date, or an event that relates to the client or the purpose, such as "upon completion of this records transfer." HIPAA sets no maximum, but state law can: California defaults to one year or less unless the signer asks for longer. Pitfall: writing "none," which the rule reserves for research authorizations; and in Illinois a form with no calendar date authorizes release only on the single day it arrives.

Required statements. Three notices the regulation requires: the client may revoke in writing (with the procedure, or a pointer to your notice of privacy practices), treatment and payment cannot be conditioned on signing, and disclosed information may be redisclosed by the recipient and lose federal protection. Pitfall: statement blocks borrowed from an older form that drop the revocation procedure; a missing statement is a defect on its face.

Signature and date. The client signs and dates the form; a personal representative also records the authority they sign under, such as parent of a minor or healthcare power of attorney. Electronic signatures are fine, and California's statute says so explicitly. Pitfall: accepting a representative's signature without documenting the authority on or with the form.

What stays off the form. Psychotherapy notes always need their own standalone authorization, and records from a Part 2 substance use program follow their own consent rules with different expiration mechanics. Pitfall: a single checkbox quietly absorbing a protected category; the release fails for that category even where it is valid for the rest.

Blank template (copy and adapt)

RELEASE OF INFORMATION (ROI) AUTHORIZATION
(Psychotherapy notes need their own standalone authorization;
this form does not cover them.)

Client name:                          DOB:
Practice / clinician authorized to disclose:

Information to be released (types + date range):
[ ] Progress notes   [ ] Diagnosis / treatment summary
[ ] Treatment plan   [ ] Assessment or testing results
[ ] Billing records  [ ] Other: __________________________
Date range: ______________  Exclusions: ______________

May be released to (name, organization, contact):

Purpose: [ ] At the request of the individual   [ ] Other:
This authorization expires (date or event):

I understand that: (1) I may revoke this authorization in
writing at any time, except where the practice has already
acted on it; the revocation procedure is: ________________
(2) Treatment, payment, enrollment, or eligibility for
benefits may not be conditioned on signing this form.
(3) Information disclosed under this authorization may be
redisclosed by the recipient and may no longer be protected
by federal privacy law.

Client signature:                     Date:
Personal representative and authority (if applicable):

Free to use and share, no signup. The PDF includes a one-page cheat sheet with element-by-element pitfalls and a pre-release checklist; the DOCX is the blank form, ready to adapt.

Sample release of information

Scenario: an adult client asks their therapy practice to send treatment records to the psychiatric nurse practitioner who is starting medication management. All details are fictional.

RELEASE OF INFORMATION (ROI) AUTHORIZATION  ·  Psychotherapy notes are not covered by this form

Client: J.M.  ·  DOB: 09/23/1989
Practice authorized to disclose: A. Reyes, LPC, Harbor Light Counseling, Portland, OR

Information to be released: Progress notes, diagnosis and treatment summary, and the current treatment plan from sessions between 01/12/2026 and 07/10/2026. Psychotherapy notes and billing records are not included.

May be released to: K. Osei, PMHNP-BC, Riverline Psychiatry, Portland, OR · (503) 555-0142
Purpose: Coordination of care, at the request of the individual
Expires: Upon completion of this records transfer or 90 days from signing, whichever comes first

I understand that: (1) I may revoke this authorization in writing at any time, except where Harbor Light Counseling has already acted on it, using the practice's written revocation procedure. (2) My treatment, payment, enrollment, or eligibility for benefits cannot be conditioned on signing this form. (3) Information disclosed under this authorization may be redisclosed by the recipient and may no longer be protected by federal privacy law.

Client signature: J.M.  ·  Date: 07/10/2026
Personal representative and authority: Not applicable

This sample is fictional and for educational purposes. It does not describe a real client or practice.

↑ Back to the template and downloads

Why this sample works

  • The description names record types and a date range: specific and meaningful under the rule, and readable by the staff member who pulls the chart.
  • Psychotherapy notes are excluded by name, so the release cannot be read to reach them, and the exclusion doubles as client reassurance.
  • The recipient is one named provider with contact details, not a class the client never met.
  • The purpose is stated in the client's terms, and "at the request of the individual" would have been enough on its own.
  • The expiration is an event with a hard 90-day backstop, so the authorization cannot linger past its usefulness.
  • All three required statements appear, including how to revoke, so the form survives a privacy officer's element check.

Writing these after every session? BastionGPT drafts complete notes from bullets, dictation, or a transcript.

Generate a note from bullets

Documentation and compliance considerations

The ROI sits at the intersection of three rule sets, and knowing which one is speaking prevents most mistakes. HIPAA permits treatment, payment, and operations disclosures with no form at all, so an ROI for a routine provider-to-provider exchange is policy, not federal law. What makes the form legally load-bearing is everything else: disclosures to attorneys, insurers beyond payment, schools, and family members need a valid authorization; substance use disorder records from Part 2 programs follow 42 CFR 2.31, whose 2024 overhaul became mandatory on February 16, 2026; and state statutes can be stricter than HIPAA on both content and duration, the way California requires 14-point type with a one-year default limit and Illinois voids blanket mental health consents outright. One nuance worth knowing: HIPAA's minimum-necessary rule does not apply to disclosures made under a valid authorization (45 CFR 164.502(b)(2)). The form's scope is the whole limit, which is exactly why the description element deserves care.

Handling is as auditable as content. Validity is assessed at the moment of disclosure, not when the form was scanned: an expired date, a known revocation, or a missing element makes the authorization defective that day. Honor written revocations prospectively; anything already released in reliance stays released. Keep every signed form six years under HIPAA's documentation rule (45 CFR 164.530(j)), and when your practice initiates the authorization, give the client a copy. When the client asks for their own records, route the request to the access workflow instead: the 30-day deadline and cost-based fee limits belong to 164.524 access requests, and after Ciox Health v. Azar those fee limits do not automatically govern third-party authorization requests. Requests that arrive as subpoenas deserve independent analysis: an attached ROI does not settle privilege, and a subpoena does not satisfy every confidentiality statute. Consult your attorney or licensing board; state rules vary.

↑ Back to the template and downloads

Common release of information errors auditors flag

Impermissible uses and disclosures were the single most common issue in the HIPAA complaints OCR resolved in 2024, ahead of right-of-access failures, per its 2024 report to Congress (660 of the top-five issue counts across 28,228 resolved complaints). The enforcement record shows what that looks like in practice: Cadia Healthcare paid $182,000 in 2025 after publishing 150 patients' information in website success stories without valid written authorizations, and Manasa Health Center, a New Jersey psychiatric practice, paid $30,000 after replying to negative online reviews with patient information. In Canada, Alberta's privacy commissioner ordered that an insurer's own authorization form did not satisfy the Health Information Act, so the clinic that relied on it made an unauthorized disclosure. The BastionGPT Clinical Advisory Board sees the same errors most often in release of information reviews:

  • Releasing on the requester's form without checking it. Insurers and attorneys draft forms around their needs, not your statutory duties. The discloser is responsible for validity, so check every incoming form against the elements before honoring it.
  • Catch-all descriptions. "Any and all information" reads broad and performs badly: undefined all-PHI wording can fail the specific-and-meaningful test, and Illinois-style statutes void blanket mental health consents entirely. Name the record types and dates.
  • Honoring a defective form. Expiration passed, revocation received, an element blank: each makes the authorization invalid at the moment of disclosure, no matter how long it sat quietly in the chart.
  • Protected categories riding along. Psychotherapy notes and Part 2 substance use records swept into a general release under one checkbox; each needs its own instrument, and the general form fails for them.
  • Running a client's own request through the authorization workflow. Access requests carry a 30-day deadline and fee limits that authorizations do not, so the misrouting creates deadline violations in one direction and imaginary paperwork requirements in the other.

Release of information forms in the US, Canada, and Australia

AspectUnited StatesCanadaAustralia
StatusContent mandated by law: six core elements, three statements, plain language (45 CFR 164.508); no official formConsent validity standards, not form checklists: PHIPA requires knowledgeable consent, express for disclosure to non-custodians; Alberta lists what the custodian must explain firstPrivacy Act and APP 6 govern disclosure; OAIC guidance expects consent to be informed, voluntary, current and specific, with capacity
TerminologyAuthorization, release of information, ROIConsent to disclose personal health informationConsent to disclose health information
What changesA written, signed form is the rule for authorization disclosures; defects void itExpress consent may be oral: Ontario's regulator says verbal or written, and Alberta accepts documented oral consent since June 2026Express consent may be oral, written, or electronic, and implied consent is recognized in some contexts; the form is evidence, not a statutory box
RetentionKeep the signed authorization 6 years (45 CFR 164.530(j)); the records themselves follow state rulesProvincial record rules govern the file; Ontario's CRPO expects 10+ years from last interactionAPP 11.2 requires destroying or de-identifying information no longer needed; state record rules add minimums such as NSW's 7 years or age 25 for minors

The pattern: the US form is a legal instrument whose content is prescribed, while Canadian and Australian forms are evidence that valid consent existed. The same document serves both jobs well, so draft to the strictest standard that touches your practice and document consent conversations even where a signature is not the legal trigger.

How BastionGPT helps

BastionGPT is specifically trained, tuned, and clinically tested on release of information authorizations.

  • Check a signed ROI against the required elements (specific description, expiration, the three statements) and flag anything that would make it defective before records go out.
  • Extract what an incoming records request actually covers and whether the release on file matches its scope and dates.
  • Prepare the release: assemble only what the form covers, draft the cover letter, and flag content that needs a different instrument, from psychotherapy notes to Part 2 records.

See how clinicians use it day to day on the AI therapy notes page.

Many BastionGPT users report saving more than 90 minutes per day on documentation.

HIPAA-compliant with a signed BAA on every plan. Your data is never used to train models. BastionGPT drafts, you review and sign.

Frequently asked questions

No. A release of information covers the designated record set: progress notes, treatment plans, assessments, billing records. Psychotherapy notes sit outside that record set, and HIPAA requires a separate standalone authorization before they leave the practice; the two cannot be combined on one form. If a request covers both, use two forms. The psychotherapy notes authorization page covers the notes side.

Under HIPAA alone, no: disclosures for treatment are permitted without an authorization (45 CFR 164.506), so coordinating with your client's psychiatrist or primary care clinician is lawful with no signature. What changes the answer: Part 2 substance use records, psychotherapy notes, a stricter state mental health statute, or your own practice policy. Many practices still obtain one for trust and clarity, which is sound practice; just call it policy rather than law.

No. A client asking for their own records exercises the HIPAA right of access (45 CFR 164.524), which is not an authorization: the practice must act within 30 days, fees are limited to cost-based charges, and psychotherapy notes are excluded. Routing an access request through the ROI workflow adds paperwork the law does not require and puts the 30-day deadline at risk.

Until its expiration date or event arrives, unless the client revokes it in writing first. HIPAA sets no maximum, so a one-year limit is convention rather than federal law, but stricter state law controls where it exists: California limits most authorizations to one year unless the signer requests longer, and in Illinois a mental health consent without a calendar date is good only on the day it arrives. "None" as an expiration is reserved for research authorizations.

No. HHS states the Privacy Rule "does not require that a document be notarized or witnessed." A receiving organization may still ask for notarization as identity assurance; that is their policy, not a HIPAA requirement, and your form is not defective without it.

Not in the United States: a HIPAA authorization must be a signed written document, and a chart note that the client agreed verbally does not substitute. Canada and Australia regulate consent validity rather than form content: Ontario's regulator confirms express consent may be given verbally or in writing, Alberta accepts documented oral consent under its amended Health Information Act, and Australian guidance recognizes oral express consent, with health information usually warranting the express kind.

Records from a Part 2 substance use disorder program follow 42 CFR 2.31, and the 2024 alignment rule became fully mandatory on February 16, 2026. The consent list looks like HIPAA's with real differences: the patient's name is an express element, a single consent can cover all future treatment, payment, and operations uses, and for those TPO consents "end of treatment" or even "none" is a valid expiration, which a general HIPAA authorization does not allow. Redisclosure now follows HIPAA rules after a TPO consent, with one bright line left: the records cannot be used in proceedings against the client without separate consent or a court order.

It depends on the pathway. When the client exercises their own access right, fees are capped at reasonable, cost-based charges. When a third party requests records under an authorization, the federal court in Ciox Health v. Azar (2020) vacated the attempt to extend that patient-rate cap, so it does not automatically apply; state fee schedules and contracts still can. Identify the legal pathway first, then the fee.

Yes. Paste the incoming request and the signed form, and it checks the elements, flags defects such as a passed expiration or a missing revocation statement, and drafts the response letter or the request for a corrected form. BastionGPT is HIPAA-compliant with a signed BAA on every plan, and your data is never used to train models.

Primary sources

The compliance claims on this page trace to these authorities, last verified July 2026:

  1. 45 CFR § 164.508: core elements (c)(1), required statements (c)(2), plain language (c)(3), defective authorizations (b)(2), compound and conditioning rules, revocation.
  2. 45 CFR § 164.506: treatment, payment, and health care operations disclosures permitted without authorization.
  3. 45 CFR § 164.502: the minimum-necessary exception for authorization disclosures, and personal-representative rules.
  4. 45 CFR § 164.524: the right of access, its 30-day clock, and its exclusions.
  5. 45 CFR § 164.530: the six-year documentation retention rule.
  6. 42 CFR § 2.31 and the 2024 Part 2 final rule: substance use disorder consent content and the February 16, 2026 compliance date.
  7. HHS OCR FAQs 471 (entire-record descriptions), 476 (expiration), and 478 (no notarization or witness).
  8. HHS, notice on Ciox Health v. Azar: the access fee limit does not extend to third-party directives.
  9. California Civil Code § 56.11: 14-point type, single-purpose signature, one-year default limit, copy rights.
  10. Illinois 740 ILCS 110/5: consent content, the day-of-receipt rule, and the invalidity of blanket consents.
  11. Ontario, Personal Health Information Protection Act, 2004, s. 18 and 19, and the IPC's consent guidance: knowledgeable consent, express consent for non-custodians, oral express consent.
  12. Alberta, Health Information Act, s. 34: the pre-consent information list and documented oral consent.
  13. OAIC, Australian Privacy Principles: APP 6 disclosure grounds and the consent framework for health information.
  14. HHS OCR, 2024 Annual Report to Congress: complaint volumes and top alleged issues.

Educational content, not legal or billing advice. Sample notes are fictional. Follow your organization's policies and your board, payer, and jurisdiction requirements.