Release of Information (ROI) Form Template for Mental Health

What Is a Release of Information?

A Release of Information (ROI) — formally known as an authorization for use and disclosure of protected health information under HIPAA (45 CFR 164.508) — is a written document signed by the client that permits a mental health provider to share specific clinical information with a designated third party. Without a valid authorization, HIPAA prohibits disclosing PHI for most purposes beyond treatment, payment, and health care operations.

In mental health practice, the ROI is one of the most frequently used compliance documents. Clients may need records sent to a new therapist, a psychiatrist, an attorney, an employer, a school, a disability evaluator, or a family member. Each of these disclosures requires a specific, properly executed authorization. An improperly completed ROI — missing required elements, overly broad in scope, or expired — can expose you to HIPAA violations, malpractice claims, and licensing board complaints.

The ROI is also the client's primary mechanism for controlling who has access to their mental health information. It empowers clients to decide what is shared, with whom, and for how long. This is especially important in mental health, where clinical records often contain highly sensitive material that clients may want disclosed to some parties but not others.

When You Need It

• When a client requests that you send records to another treatment provider (therapist, psychiatrist, primary care physician)
• When a client asks you to communicate with their attorney, employer, school, or family member
• When coordinating care with another provider who is not part of your direct treatment team
• When a client requests copies of their own records to share with a third party (note: clients have a right to access their own records without an authorization, but disclosure to a third party requires one)
• When a disability or insurance company requests clinical information beyond routine billing
• When a client wants you to provide information for a legal proceeding and there is no court order

Key Components / What to Include

1. Client Identification

Full legal name, date of birth, and any other identifying information necessary to locate the correct record. For practices with large caseloads, a client ID or medical record number is helpful.

2. Person or Entity Authorized to Disclose

Your name, credentials, practice name, address, and contact information. This identifies who is releasing the information.

3. Person or Entity Authorized to Receive

The specific name, title, organization, address, and contact information of the recipient. Avoid vague designations like "my attorney" or "my doctor" without identifying information. The recipient must be specifically identified.

4. Description of Information to Be Disclosed

Be specific. Rather than authorizing release of "all records," specify the type of information (e.g., intake assessment, treatment summary, diagnosis, progress notes, psychological testing results) and the date range. HIPAA requires that the authorization describe the information in a "specific and meaningful" manner. Overly broad authorizations raise ethical concerns about disclosing more than is necessary.

5. Purpose of the Disclosure

State why the information is being released (e.g., "continuity of care," "disability evaluation," "legal proceeding," "client request"). Under HIPAA, you may state "at the request of the individual" if the client initiates the authorization and declines to state a specific purpose.

6. Expiration Date or Event

Every valid HIPAA authorization must contain an expiration date or an expiration event (e.g., "upon resolution of the legal matter"). If no expiration is stated, the authorization may not be valid under HIPAA, and many states will impose a default expiration period.

7. Right to Revoke

The authorization must state that the client has the right to revoke the authorization in writing at any time, and that revocation will not affect disclosures already made in reliance on the authorization.

8. Ability to Condition Treatment

The authorization must state that the provider may not condition treatment, payment, enrollment, or eligibility on the client signing the authorization — unless the authorization is for the purpose of creating PHI for a third party (such as a fitness-for-duty evaluation).

9. Potential for Re-disclosure

Include a statement that information disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and may no longer be protected by HIPAA. For substance use disorder records under 42 CFR Part 2, include the required prohibition on re-disclosure.

10. Signature and Date

The client's signature (or the signature of a legally authorized personal representative) and the date of signing. If signed by a personal representative, include a description of their authority (e.g., parent of minor, legal guardian, healthcare power of attorney).

How to Implement It

Step 1: Stock pre-printed forms. Keep blank ROI forms readily available in your intake packets, in your office, and as downloadable PDFs on your client portal. Clients frequently need to complete ROIs during sessions or between sessions.

Step 2: Review every completed ROI before acting on it. Before disclosing any information, verify that all required elements are present: client identification, specific recipient, specific information, purpose, expiration, revocation notice, signature, and date. If any element is missing, the authorization may not be valid and you should request a corrected form.

Step 3: Apply the minimum necessary standard. Even with a valid ROI, HIPAA requires that you disclose only the minimum information necessary to accomplish the stated purpose. If a client authorizes release of "all records" for continuity of care, consider whether a treatment summary would suffice rather than sending the entire chart. Discuss this with the client.

Step 4: Document every disclosure. Record the date of disclosure, what was disclosed, to whom, the method of transmission, and the authorization on which you relied. This creates the accounting of disclosures that clients have a right to request under HIPAA.

Step 5: Track expiration dates. Maintain a log or use your EHR system to track ROI expiration dates. If a recipient requests additional information after the authorization has expired, you must obtain a new authorization before disclosing.

Step 6: Store the signed authorization. File the original signed ROI in the client's record. It must be retained for at least six years from the date of its creation or the date it was last in effect, whichever is later, per HIPAA requirements.

Common Mistakes

Using an authorization that lacks required elements. HIPAA specifies core elements that must appear in every valid authorization. An authorization missing the expiration date, revocation notice, or re-disclosure statement is defective and does not provide a valid legal basis for disclosure. Acting on a defective authorization exposes you to liability.

Releasing more information than authorized. If the client authorizes disclosure of a "treatment summary," do not send progress notes, testing data, or intake assessments. The scope of the authorization defines the boundary of what you may disclose. When in doubt, contact the client to clarify.

Failing to verify the identity of the requesting party. Before sending records to a recipient, confirm that the request is legitimate. If someone calls claiming to be a client's new therapist, verify their identity independently before disclosing PHI. Sending records to the wrong person is a reportable breach.

Accepting an expired authorization. Always check the expiration date before processing a disclosure. An authorization that expired last month is no longer valid, regardless of the original intent. A new authorization must be obtained.

Not distinguishing between psychotherapy notes and the clinical record. Under HIPAA, psychotherapy notes maintained separately from the medical record require their own specific authorization for release. A general ROI does not cover psychotherapy notes unless it specifically and separately authorizes their disclosure.

Ignoring 42 CFR Part 2 requirements for substance use records. If your practice provides substance use disorder treatment, standard HIPAA authorizations are not sufficient. Part 2 requires additional elements, including a prohibition on re-disclosure, and the authorization form itself must meet Part 2 specifications. Using a HIPAA-only ROI form for Part 2 records is a violation.