What makes a release of information form HIPAA-compliant?

Under 45 CFR 164.508, a valid HIPAA authorization must include: a specific description of the information to be disclosed, the name of the person or entity authorized to make the disclosure, the name of the recipient, the purpose of the disclosure, an expiration date or event, the individual's signature and date, and statements about the right to revoke authorization and the potential for re-disclosure.

What is the penalty for releasing information without proper authorization?

HIPAA penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. Criminal penalties can reach $250,000 and up to 10 years imprisonment for knowingly obtaining or disclosing PHI. State laws may impose additional penalties.

Release of Information Form Template: Free Examples & HIPAA Guide

Q: Can a patient revoke a release of information authorization?

Yes. Under HIPAA, patients have the right to revoke their authorization at any time, in writing. The revocation applies to future disclosures — information already released before the revocation cannot be recalled. Your form must include a statement informing the patient of this right.

Q: Do psychotherapy notes require a separate release form?

Yes. HIPAA requires a separate, specific authorization for psychotherapy notes under 45 CFR 164.508(a)(2). A general medical records release does not cover psychotherapy notes. The authorization must explicitly name psychotherapy notes as the information being released.

Q: How long is a release of information authorization valid?

HIPAA requires an expiration date or expiration event on every authorization but does not set a maximum period. State laws vary — many states limit validity to 60 to 90 days or one year. Check your state's requirements and default to a shorter period when in doubt.

Release of information requests arrive constantly — from insurance companies, referring providers, attorneys, disability examiners, and patients themselves. Each one requires a signed authorization before you can share a single page of protected health information (PHI). Without a standardized release of information form template, your office risks incomplete authorizations that get rejected, HIPAA violations that trigger fines of up to $50,000 per incident, and a paper trail that falls apart under audit. A well-built form turns this compliance headache into a routine workflow.

This guide includes a complete release of information form template, HIPAA compliance requirements under 45 CFR 164.508, practice-specific variations for mental health, medical, and legal settings, and advice on collecting signed authorizations digitally.

What Is a Release of Information Form?

A release of information form is a written authorization that gives a covered entity — such as a healthcare provider, hospital, school, or employer — permission to share protected information with a named third party. The patient, client, or student must sign before any records leave the organization.

Different laws govern these authorizations:

HIPAA (Health Insurance Portability and Accountability Act) — covers protected health information held by healthcare providers, health plans, and clearinghouses
FERPA (Family Educational Rights and Privacy Act) — covers education records at schools that receive federal funding
42 CFR Part 2 — adds protections for substance abuse treatment records beyond what HIPAA requires
State privacy laws — many states impose requirements beyond federal minimums, particularly for mental health records, HIV/AIDS status, and genetic information

The form serves two purposes. It protects the individual's right to control who sees their information, and it protects your organization from liability for unauthorized disclosure.

When Do You Need a Release of Information Form?

An authorization for release of information is required whenever protected records are shared outside the normal course of treatment, payment, or healthcare operations. Common scenarios include:

Patient transfers. A new provider needs medical history, lab results, and medication lists from the previous provider. The patient must authorize the transfer.
Insurance requests. Insurers request records to verify claims or process pre-authorizations.
Legal proceedings. Personal injury cases, workers' compensation, custody disputes, and disability hearings all require signed authorization before records go to an attorney.
Mental health disclosures. Therapists sharing treatment summaries with primary care physicians or school counselors need explicit consent because mental health records carry additional protections.
Student records. Under FERPA, schools need written consent from parents (or eligible students over 18) before releasing education records.
Employment verification. Background checks and government benefits often require a signed release for employment dates, salary, and position history.

Release of Information Form Template: Complete Field List

This template covers the fields you need for a HIPAA-compliant authorization for release of information form. Adapt it to your practice type, state requirements, and specific use case.

Patient / Client Information

Full legal name
Date of birth
Street address, city, state, ZIP code
Phone number
Email address
Last four digits of Social Security Number — for identity verification only. Collecting the full SSN is unnecessary and creates additional security obligations.
Medical record number (if applicable)

Information to Be Released

Use checkboxes so the patient can select specific categories rather than signing a blanket authorization for "all records."

Medical records (office notes, history and physical, discharge summaries)
Mental health records (treatment plans, progress notes, psychological evaluations)
Substance abuse treatment records — protected under 42 CFR Part 2; requires a separate authorization
Psychotherapy notes — under HIPAA (45 CFR 164.508(a)(2)), these require a separate authorization because they are the therapist's personal notes kept apart from the clinical record
Billing and insurance records
Laboratory results
Imaging and radiology reports
Prescription and medication history
Immunization records
Educational records (transcripts, IEPs, disciplinary records) — for schools under FERPA
Employment records
HIV/AIDS testing and status — many states require separate written consent for HIV-related disclosures
Genetic information — protected under GINA (Genetic Information Nondiscrimination Act) and many state laws
Other (specify)

Release From / Release To

Both sections capture the same core fields:

Name of provider or organization
Department (if applicable)
Street address, city, state, ZIP code
Phone number
Fax number
Relationship to patient (for recipient: treating provider, attorney, insurance company, employer, self, other)

Purpose and Time Period

HIPAA requires that the authorization state the purpose of the disclosure.

Purpose of release (check all that apply): continuing care, insurance claim or billing, legal proceedings, disability determination, personal request, workers' compensation, other (specify)
From date — beginning of the date range for records to be released
To date — end of the date range, to prevent over-disclosure

Authorization Details

Patient/guardian signature — a parent or legal guardian signs for minors; a legally authorized representative signs for incapacitated patients
Printed name of signer
Date of signature
Relationship to patient (if not the patient: parent, legal guardian, power of attorney, personal representative)
Witness signature — not required by HIPAA, but many organizations include a witness line as a safeguard against disputes
Expiration date or event — HIPAA requires an expiration date or event (such as "upon resolution of the legal claim"). Many states mandate 60 to 90 days or one year.
Right to revoke statement — the patient can revoke in writing at any time; revocation does not apply to information already disclosed
Ability to refuse statement — treatment, payment, and enrollment generally cannot be conditioned on signing
Re-disclosure warning — disclosed information may be re-disclosed by the recipient and may no longer be protected by HIPAA

HIPAA Compliance: What Your Form Must Include

Under 45 CFR 164.508, a valid HIPAA authorization must contain six core elements and three required statements. Getting any wrong invalidates the entire authorization — turning every record you released under it into an unauthorized disclosure, with penalties of $100 to $50,000 per incident.

The six required elements (45 CFR 164.508(c)): (1) specific description of information to be disclosed, (2) who is releasing the records, (3) who is receiving them, (4) the purpose, (5) an expiration date or event, and (6) the patient's signature and date. The three required statements: right to revoke, right to refuse signing without losing access to treatment, and a re-disclosure warning. All of these are built into the template above (fields 37-39).

State Law Considerations

HIPAA sets a federal floor, but many states add requirements: shorter authorization periods (some cap at 60 or 90 days), specific language for mental health or HIV-related records, witness requirements, or translation into the patient's primary language. When state law is more protective, state law controls.

Practice-Specific Variations

Mental Health and Therapy

A release of information form mental health template must account for protections that do not apply to standard medical records.

Psychotherapy notes need a separate authorization. The therapist's session analysis notes cannot be included in a general release form (45 CFR 164.508(a)(2)).
Substance abuse records require 42 CFR Part 2 compliance. Releases must meet stricter requirements, including a prohibition on re-disclosure by the recipient.
Minor consent creates ambiguity. In many states, minors can consent to their own mental health treatment — raising the question of who authorizes the release. Check your state's rules.
Include a detail-level field. Let the client specify "diagnosis and treatment dates only" versus "full treatment summary including progress notes."

Healthcare and Medical

Turnaround deadlines. Many states require fulfillment within 15 to 30 days. Build date tracking into your form.
Fees for copies. HIPAA limits patient charges to a "reasonable, cost-based fee." State laws may set per-page caps. Include your fee schedule.
EHR integration. Align form fields with your electronic health record system so requests can be tracked from receipt to fulfillment.

Legal Settings

Privilege waiver risk. Releasing legal records may implicitly waive attorney-client privilege for the disclosed information. Advise clients carefully about scope.
Litigation holds. Records under a preservation order cannot be destroyed regardless of the authorization's expiration. Flag these in your tracking system.
Third-party subpoenas. The client or their attorney must authorize the release unless a court orders otherwise.

Collecting Signed Release Forms at Scale

A solid template solves the content problem. But how you collect signed forms determines whether your process works in practice — or buries your staff in paper.

The problem with paper and email

Paper release forms create bottlenecks at every step. Patients forget to bring the form. Staff spend hours printing, scanning, and filing. Signatures are illegible, fields are blank, and forms disappear between the front desk and medical records. One missing checkbox means starting over — another phone call, another mailing, another two-week delay.

Email is faster but introduces compliance risk. Standard email is unencrypted, so sending an authorization with a patient's name, date of birth, and medical record number risks a HIPAA violation. Even encrypted email produces incomplete, hard-to-read forms that require multiple rounds of back-and-forth.

A better approach: digital collection with built-in compliance

File Request Pro lets you create a branded page where patients or clients fill out the release authorization, sign electronically, and upload supporting documents — all in one step. No account creation required, no app download, no login.

Here is how this works for release-of-information requests:

Form fields and file uploads in one place. Build your release authorization with all the fields from the template above, plus file upload fields for court orders, insurance correspondence, or identification.
Automated reminders. Patients who have not completed the form get follow-up emails on a schedule you set — no more phone calls chasing incomplete authorizations.
Cloud storage sync. Completed forms sync to Google Drive, OneDrive, SharePoint, or Dropbox — organized by patient or date. No manual downloading or filing.
Encryption for PHI. Files are encrypted in transit and at rest. This is not optional when collecting protected health information — it is a HIPAA requirement under the Security Rule (45 CFR 164.312).
Audit trail. Every submission is logged with a timestamp showing who signed and when. This protects your practice during HIPAA audits and disputes.
No patient account needed. The patient clicks a link, fills out the form, and submits. No registration, no password, no portal login — which removes the friction that causes patients to abandon the process.
Secure document sharing. When you need to send records back to a referring provider, you can use encrypted file sharing instead of unencrypted email or fax.

Unlike a static PDF or a free printable release of information form filled out by hand, a digital workflow captures complete, legible data every time, routes it to the right storage location, and maintains the compliance documentation you need.

Best Practices for Release of Information Forms

Be specific about what you release

A blanket "release all records" authorization is poor practice even when technically valid. Specify record categories, date ranges, and the purpose of disclosure. This protects the patient, reduces your liability, and ensures the recipient gets only what they need.

Set a reasonable expiration date

Open-ended authorizations create risk. Match the expiration to the purpose: 90 days for an insurance claim, one year for ongoing care coordination, or a specific event like "upon resolution of the legal matter." When an authorization expires, require a new one.

Train staff on authorization exceptions

HIPAA permits disclosure without authorization for treatment, payment, healthcare operations, and certain public health and law enforcement purposes. Staff who know these exceptions avoid delaying legitimate requests — and avoid releasing information when authorization is required.

Track every request from receipt to fulfillment

Log every release request: date received, patient name, requesting party, records released, date fulfilled, who processed it. This log is your first line of defense in a HIPAA audit.

Review your form annually

Privacy laws change. State regulations get updated. New record categories emerge (telehealth records, for example). Review your form at least once a year to confirm it reflects current requirements.

FAQ

What must a HIPAA-compliant release of information form include?

Six core elements under 45 CFR 164.508: a description of the information, the releasing entity, the recipient, the purpose, an expiration date or event, and the patient's signature. Plus three required statements: right to revoke, notice that treatment cannot be conditioned on signing, and a re-disclosure warning.

Can a patient revoke a release of information authorization?

Yes. A patient can revoke at any time by submitting a written revocation. The revocation does not apply to information already disclosed while the authorization was in effect.

Do psychotherapy notes require a separate release form?

Yes. Psychotherapy notes — the therapist's personal session notes stored separately from the clinical record — require a standalone authorization under 45 CFR 164.508(a)(2) and cannot be included in a general release of information form.

What is the difference between a release of information form and a consent form?

A consent form authorizes treatment or a procedure. A release of information form authorizes disclosure of records to a third party. A patient might consent to treatment without consenting to share records outside the treating organization. Release authorizations for specific third parties always require a separate, signed form.

How long is a release of information authorization valid?

HIPAA does not set a maximum validity period but requires an expiration date or event. Many states impose limits of 60 days, 90 days, or one year. Tie the timeframe to the purpose: 90 days for an insurance claim, one year for ongoing care coordination. Check your state's requirements.

Can I use a free printable release of information form I found online?

Proceed carefully. Many free templates are incomplete or outdated — missing the right-to-revoke statement, the re-disclosure warning, or state-specific requirements. Use one as a starting point, but have your compliance officer or legal counsel review it before putting it into use.

What happens if I release records without a valid authorization?

It is a HIPAA violation. Penalties range from $100 to $50,000 per violation depending on negligence, with annual maximums of $1.5 million per category (45 CFR 160.404). Unauthorized disclosures can also trigger corrective action plans, reputational damage, and criminal charges for willful neglect. The Office for Civil Rights publishes enforcement actions publicly.

A compliant release of information form template is the foundation — but the real gains come from how you collect signed authorizations. If your process still runs on paper forms and fax machines, start a free trial of File Request Pro — no credit card required — and see how digital collection with built-in encryption, automated reminders, cloud storage sync, and a full audit trail can cut your processing time in half.

Release of Information Form Template