A release of information (ROI) is the written authorization a client signs before a mental health practice may disclose their records to a third party. HIPAA does not publish an official form; it mandates the content: six core elements and three required statements (45 CFR 164.508). Records staff use one whenever a disclosure is not already permitted by law. Most forms run one to two pages.
Records staff or the treating clinician; signed by the client
Client, requesting third party, privacy officer, auditors
One to two pages, 400 to 700 words · 5 to 10 minutes by hand (clinical team estimate)
Consent and privacy form (compare: psychotherapy notes authorization, Part 2 consent)
Before records leave the practice for any purpose HIPAA does not already permit
The elements are law (45 CFR 164.508); no official government form exists, the layout is yours
A release of information is the written permission a client gives before a practice may disclose their health records to a third party. In HIPAA terms it is an authorization: the instrument required for any use or disclosure the Privacy Rule does not already permit. The rule behind it, 45 CFR 164.508, comes from the Privacy Rule published in December 2000 and enforceable since April 2003, and it standardizes content, not paperwork: HHS lets every practice draft its own form as long as the core elements and required statements are present, and the regulation adds that the authorization "must be written in plain language." You will also see the form called an authorization to disclose protected health information, a consent to release records, or a medical records release. "HIPAA release" is common shorthand, and imprecise, because many disclosures need no release at all.
Two boundaries do most of the work. First, an ROI is not the client's own records request: when a client asks for their chart, the access right under 45 CFR 164.524 applies, with its own 30-day clock and fee limits, and no authorization is involved. Second, an ROI never reaches psychotherapy notes: those need their own standalone psychotherapy notes authorization, which cannot be combined with any other release. A general form that quietly claims to cover them fails for the notes even where it works for everything else.
Everyone who lets records leave the practice: solo therapists, group practices, and records departments. Typical triggers are an attorney assembling a case file, a disability or life insurer, a school accommodation request, a family member the client wants involved, or coordination with someone outside the treatment relationship. The counterintuitive part is when an ROI is not legally required: HIPAA itself permits disclosures for treatment, payment, and health care operations without one (45 CFR 164.506), so sending progress notes to the psychiatrist treating your client needs no signature under federal law. Substance use disorder records under 42 CFR Part 2, psychotherapy notes, and stricter state statutes are the layers that put a form back in the workflow, and many practices require one for every disclosure as policy, which is caution, not law. The care coordination note and discharge summary pages cover the records that most often travel.
No official government form exists. HIPAA mandates the content: six core elements, three required statements, plain language, and a signature (45 CFR 164.508(b) and (c)). The identity fields most forms carry, date of birth, address, phone, record number, help match the right chart, but they are not legal elements, and HHS states plainly that no notarization or witness is required. One to two pages covers all of it:
Each element in more detail, with the pitfall that most often invalidates it:
Client and practice identification. Full client name, plus the practice or clinician authorized to make the disclosure; the discloser is a core element in its own right. Pitfall: a form dense with identifiers that never names who may disclose. Date of birth and record number are matching fields, not legal elements, and a missing element voids the form while a missing identifier does not.
Description of the information. Name record types and bound them with dates, for example "progress notes and treatment summary, January through June 2026." OCR accepts "entire medical record" as sufficiently specific when that is the intent; an undefined "all protected health information" may fail, because PHI sweeps far wider than the chart. Pitfall: the catch-all phrase. Illinois goes further by statute: blanket consent to unspecified mental health information is simply invalid.
Who may receive. A named person or organization, or a class of recipients, with enough contact detail to route the records. Pitfall: recipients so vague the client cannot tell who will end up holding their information; classes are legal, ambiguity is the thing privacy officers bounce.
Purpose. State why the disclosure is happening. When the client initiates the request, HIPAA accepts "at the request of the individual" as the complete answer. Pitfall: leaving it blank; purpose is a core element, not a courtesy.
Expiration. A date, or an event that relates to the client or the purpose, such as "upon completion of this records transfer." HIPAA sets no maximum, but state law can: California defaults to one year or less unless the signer asks for longer. Pitfall: writing "none," which the rule reserves for research authorizations; and in Illinois a form with no calendar date authorizes release only on the single day it arrives.
Required statements. Three notices the regulation requires: the client may revoke in writing (with the procedure, or a pointer to your notice of privacy practices), treatment and payment cannot be conditioned on signing, and disclosed information may be redisclosed by the recipient and lose federal protection. Pitfall: statement blocks borrowed from an older form that drop the revocation procedure; a missing statement is a defect on its face.
Signature and date. The client signs and dates the form; a personal representative also records the authority they sign under, such as parent of a minor or healthcare power of attorney. Electronic signatures are fine, and California's statute says so explicitly. Pitfall: accepting a representative's signature without documenting the authority on or with the form.
What stays off the form. Psychotherapy notes always need their own standalone authorization, and records from a Part 2 substance use program follow their own consent rules with different expiration mechanics. Pitfall: a single checkbox quietly absorbing a protected category; the release fails for that category even where it is valid for the rest.
RELEASE OF INFORMATION (ROI) AUTHORIZATION (Psychotherapy notes need their own standalone authorization; this form does not cover them.) Client name: DOB: Practice / clinician authorized to disclose: Information to be released (types + date range): [ ] Progress notes [ ] Diagnosis / treatment summary [ ] Treatment plan [ ] Assessment or testing results [ ] Billing records [ ] Other: __________________________ Date range: ______________ Exclusions: ______________ May be released to (name, organization, contact): Purpose: [ ] At the request of the individual [ ] Other: This authorization expires (date or event): I understand that: (1) I may revoke this authorization in writing at any time, except where the practice has already acted on it; the revocation procedure is: ________________ (2) Treatment, payment, enrollment, or eligibility for benefits may not be conditioned on signing this form. (3) Information disclosed under this authorization may be redisclosed by the recipient and may no longer be protected by federal privacy law. Client signature: Date: Personal representative and authority (if applicable):
Free to use and share, no signup. The PDF includes a one-page cheat sheet with element-by-element pitfalls and a pre-release checklist; the DOCX is the blank form, ready to adapt.
Scenario: an adult client asks their therapy practice to send treatment records to the psychiatric nurse practitioner who is starting medication management. All details are fictional.
RELEASE OF INFORMATION (ROI) AUTHORIZATION · Psychotherapy notes are not covered by this form
Client: J.M. · DOB: 09/23/1989
Practice authorized to disclose: A. Reyes, LPC, Harbor Light Counseling, Portland, OR
Information to be released: Progress notes, diagnosis and treatment summary, and the current treatment plan from sessions between 01/12/2026 and 07/10/2026. Psychotherapy notes and billing records are not included.
May be released to: K. Osei, PMHNP-BC, Riverline Psychiatry, Portland, OR · (503) 555-0142
Purpose: Coordination of care, at the request of the individual
Expires: Upon completion of this records transfer or 90 days from signing, whichever comes first
I understand that: (1) I may revoke this authorization in writing at any time, except where Harbor Light Counseling has already acted on it, using the practice's written revocation procedure. (2) My treatment, payment, enrollment, or eligibility for benefits cannot be conditioned on signing this form. (3) Information disclosed under this authorization may be redisclosed by the recipient and may no longer be protected by federal privacy law.
Client signature: J.M. · Date: 07/10/2026
Personal representative and authority: Not applicable
This sample is fictional and for educational purposes. It does not describe a real client or practice.
Writing these after every session? BastionGPT drafts complete notes from bullets, dictation, or a transcript.
Generate a note from bulletsThe ROI sits at the intersection of three rule sets, and knowing which one is speaking prevents most mistakes. HIPAA permits treatment, payment, and operations disclosures with no form at all, so an ROI for a routine provider-to-provider exchange is policy, not federal law. What makes the form legally load-bearing is everything else: disclosures to attorneys, insurers beyond payment, schools, and family members need a valid authorization; substance use disorder records from Part 2 programs follow 42 CFR 2.31, whose 2024 overhaul became mandatory on February 16, 2026; and state statutes can be stricter than HIPAA on both content and duration, the way California requires 14-point type with a one-year default limit and Illinois voids blanket mental health consents outright. One nuance worth knowing: HIPAA's minimum-necessary rule does not apply to disclosures made under a valid authorization (45 CFR 164.502(b)(2)). The form's scope is the whole limit, which is exactly why the description element deserves care.
Handling is as auditable as content. Validity is assessed at the moment of disclosure, not when the form was scanned: an expired date, a known revocation, or a missing element makes the authorization defective that day. Honor written revocations prospectively; anything already released in reliance stays released. Keep every signed form six years under HIPAA's documentation rule (45 CFR 164.530(j)), and when your practice initiates the authorization, give the client a copy. When the client asks for their own records, route the request to the access workflow instead: the 30-day deadline and cost-based fee limits belong to 164.524 access requests, and after Ciox Health v. Azar those fee limits do not automatically govern third-party authorization requests. Requests that arrive as subpoenas deserve independent analysis: an attached ROI does not settle privilege, and a subpoena does not satisfy every confidentiality statute. Consult your attorney or licensing board; state rules vary.
Impermissible uses and disclosures were the single most common issue in the HIPAA complaints OCR resolved in 2024, ahead of right-of-access failures, per its 2024 report to Congress (660 of the top-five issue counts across 28,228 resolved complaints). The enforcement record shows what that looks like in practice: Cadia Healthcare paid $182,000 in 2025 after publishing 150 patients' information in website success stories without valid written authorizations, and Manasa Health Center, a New Jersey psychiatric practice, paid $30,000 after replying to negative online reviews with patient information. In Canada, Alberta's privacy commissioner ordered that an insurer's own authorization form did not satisfy the Health Information Act, so the clinic that relied on it made an unauthorized disclosure. The BastionGPT Clinical Advisory Board sees the same errors most often in release of information reviews:
| Aspect | United States | Canada | Australia |
|---|---|---|---|
| Status | Content mandated by law: six core elements, three statements, plain language (45 CFR 164.508); no official form | Consent validity standards, not form checklists: PHIPA requires knowledgeable consent, express for disclosure to non-custodians; Alberta lists what the custodian must explain first | Privacy Act and APP 6 govern disclosure; OAIC guidance expects consent to be informed, voluntary, current and specific, with capacity |
| Terminology | Authorization, release of information, ROI | Consent to disclose personal health information | Consent to disclose health information |
| What changes | A written, signed form is the rule for authorization disclosures; defects void it | Express consent may be oral: Ontario's regulator says verbal or written, and Alberta accepts documented oral consent since June 2026 | Express consent may be oral, written, or electronic, and implied consent is recognized in some contexts; the form is evidence, not a statutory box |
| Retention | Keep the signed authorization 6 years (45 CFR 164.530(j)); the records themselves follow state rules | Provincial record rules govern the file; Ontario's CRPO expects 10+ years from last interaction | APP 11.2 requires destroying or de-identifying information no longer needed; state record rules add minimums such as NSW's 7 years or age 25 for minors |
The pattern: the US form is a legal instrument whose content is prescribed, while Canadian and Australian forms are evidence that valid consent existed. The same document serves both jobs well, so draft to the strictest standard that touches your practice and document consent conversations even where a signature is not the legal trigger.
BastionGPT is specifically trained, tuned, and clinically tested on release of information authorizations.
See how clinicians use it day to day on the AI therapy notes page.
Many BastionGPT users report saving more than 90 minutes per day on documentation.
HIPAA-compliant with a signed BAA on every plan. Your data is never used to train models. BastionGPT drafts, you review and sign.
No. A release of information covers the designated record set: progress notes, treatment plans, assessments, billing records. Psychotherapy notes sit outside that record set, and HIPAA requires a separate standalone authorization before they leave the practice; the two cannot be combined on one form. If a request covers both, use two forms. The psychotherapy notes authorization page covers the notes side.
Under HIPAA alone, no: disclosures for treatment are permitted without an authorization (45 CFR 164.506), so coordinating with your client's psychiatrist or primary care clinician is lawful with no signature. What changes the answer: Part 2 substance use records, psychotherapy notes, a stricter state mental health statute, or your own practice policy. Many practices still obtain one for trust and clarity, which is sound practice; just call it policy rather than law.
No. A client asking for their own records exercises the HIPAA right of access (45 CFR 164.524), which is not an authorization: the practice must act within 30 days, fees are limited to cost-based charges, and psychotherapy notes are excluded. Routing an access request through the ROI workflow adds paperwork the law does not require and puts the 30-day deadline at risk.
Until its expiration date or event arrives, unless the client revokes it in writing first. HIPAA sets no maximum, so a one-year limit is convention rather than federal law, but stricter state law controls where it exists: California limits most authorizations to one year unless the signer requests longer, and in Illinois a mental health consent without a calendar date is good only on the day it arrives. "None" as an expiration is reserved for research authorizations.
No. HHS states the Privacy Rule "does not require that a document be notarized or witnessed." A receiving organization may still ask for notarization as identity assurance; that is their policy, not a HIPAA requirement, and your form is not defective without it.
Not in the United States: a HIPAA authorization must be a signed written document, and a chart note that the client agreed verbally does not substitute. Canada and Australia regulate consent validity rather than form content: Ontario's regulator confirms express consent may be given verbally or in writing, Alberta accepts documented oral consent under its amended Health Information Act, and Australian guidance recognizes oral express consent, with health information usually warranting the express kind.
Records from a Part 2 substance use disorder program follow 42 CFR 2.31, and the 2024 alignment rule became fully mandatory on February 16, 2026. The consent list looks like HIPAA's with real differences: the patient's name is an express element, a single consent can cover all future treatment, payment, and operations uses, and for those TPO consents "end of treatment" or even "none" is a valid expiration, which a general HIPAA authorization does not allow. Redisclosure now follows HIPAA rules after a TPO consent, with one bright line left: the records cannot be used in proceedings against the client without separate consent or a court order.
It depends on the pathway. When the client exercises their own access right, fees are capped at reasonable, cost-based charges. When a third party requests records under an authorization, the federal court in Ciox Health v. Azar (2020) vacated the attempt to extend that patient-rate cap, so it does not automatically apply; state fee schedules and contracts still can. Identify the legal pathway first, then the fee.
Yes. Paste the incoming request and the signed form, and it checks the elements, flags defects such as a passed expiration or a missing revocation statement, and drafts the response letter or the request for a corrected form. BastionGPT is HIPAA-compliant with a signed BAA on every plan, and your data is never used to train models.
The compliance claims on this page trace to these authorities, last verified July 2026:
Educational content, not legal or billing advice. Sample notes are fictional. Follow your organization's policies and your board, payer, and jurisdiction requirements.