Release of Information: HIPAA ROI Template

A Release of Information (ROI) form is your legal gateway to sharing or obtaining protected health information. Without a properly executed ROI, you risk HIPAA violations that can result in fines up to $1.5 million per incident. This guide walks you through every element your ROI form needs, common mistakes that invalidate authorizations, and practical strategies for managing information releases in your therapy practice.

Let me share something that happened early in my career. A hospital called requesting records for a mutual client. I had an ROI on file, so I thought I was covered. But when I reviewed it, the form only said "medical records" without specifying dates, and it had been signed 18 months ago with no expiration date listed. The hospital informed me my authorization was not valid under HIPAA. That conversation taught me more about ROI requirements than any training ever did.

$50K+

Average HIPAA fine for improper disclosure

Required elements for valid authorization

90 days

Recommended maximum expiration period

42%

Of ROI forms have at least one compliance gap

What Is a Release of Information Form?

A Release of Information form, sometimes called an Authorization to Disclose, is a written document that gives you legal permission to share specific protected health information (PHI) with a designated person or organization. Think of it as a permission slip for adult healthcare. Without this signed authorization, sharing client information violates HIPAA and can expose you to significant liability.

The ROI serves multiple purposes in clinical practice. It allows you to coordinate care with other providers, respond to insurance requests, communicate with family members the client designates, and fulfill legitimate legal requests. But the key word here is "specific." A valid ROI is never a blank check for disclosure.

The 8 Required Elements of a HIPAA-Compliant ROI

HIPAA spells out exactly what must appear on an authorization form for it to be valid. Missing even one element can render the entire authorization void, which means any disclosure you make based on that form could be considered a HIPAA violation.

HIPAA-Compliant ROI Must Include All 8 Elements

1.Client identification - Full legal name plus at least one other identifier such as date of birth or client ID number
2.Disclosing party - Name and description of the person or organization authorized to release the information
3.Receiving party - Name and description of the person or organization authorized to receive the information
4.Specific information description - Exact description of what records or information will be shared
5.Purpose of disclosure - Why the information is being shared (treatment coordination, legal matter, personal request)
6.Expiration date or event - When the authorization ends (specific date or triggering event)
7.Right to revoke statement - Clear language explaining the client can withdraw authorization at any time in writing
8.Signature and date - Client signature (or legal representative) with the date signed

Required vs. Optional ROI Elements

Understanding what must appear versus what you can add helps you create forms that are both compliant and practical for your specific practice needs.

Required by HIPAA

✓ Client name and identifier
✓ Disclosing party identification
✓ Receiving party identification
✓ Description of information
✓ Purpose of disclosure
✓ Expiration date or event
✓ Revocation rights statement
✓ Signature and date

Optional But Recommended

+ Witness signature line
+ Client contact information
+ Receiving party fax/email
+ Re-disclosure prohibition notice
+ Checkbox for verbal discussion
+ Date range for records
+ Method of delivery preference
+ Copy of form acknowledgment

Why Specificity Matters

Here is where most therapists get into trouble. Vague language on an ROI creates ambiguity, and ambiguity creates liability. When you write "treatment records" on a form, what exactly does that mean? Progress notes? Intake assessments? Psychological testing results? Diagnosis codes? Communication logs?

The receiving party might interpret that phrase differently than you do. And if a client later claims you disclosed more than they intended, your vague authorization will not protect you.

Too Vague (Avoid)

✗ "Medical records"
✗ "Treatment information"
✗ "All records on file"
✗ "Any relevant information"
✗ "Mental health records"

Properly Specific (Use)

✓ "Progress notes from 1/1/2024 to 3/31/2024"
✓ "Initial intake assessment dated 2/15/2024"
✓ "Diagnosis codes and treatment dates only"
✓ "Treatment summary letter (no session details)"
✓ "Dates of service and attendance record"

Understanding Expiration Rules

Every ROI must have an end date. HIPAA does not specify a maximum duration, but best practice recommends keeping authorizations as short as reasonably necessary for the purpose. An ROI for coordinating care during a hospital admission might expire in 30 days. An ROI for ongoing care coordination with a psychiatrist might be valid for 6 to 12 months.

Expiration Date Best Practices

Short-term disclosures: 30 to 90 days for one-time requests like court cases or second opinions
Ongoing coordination: 6 to 12 months for active care coordination, with renewal reminders
Event-based expiration: "Upon completion of disability evaluation" or "Upon discharge from hospital"
Never use: "Indefinite" or leaving the expiration field blank

Some states have stricter requirements than HIPAA. California, for example, requires additional language about HIV-related information. Always check your state regulations in addition to federal requirements.

Special Protection Categories

Certain types of information require extra protection beyond standard HIPAA requirements. Using a standard ROI for these categories may not provide valid authorization.

Categories Requiring Special Authorization

Substance Abuse Records (42 CFR Part 2)
Federal regulations require specific consent language that goes beyond HIPAA. Standard ROIs are insufficient for federally-assisted substance abuse programs.
Psychotherapy Notes
Separate authorization required from other medical records. Must specifically identify the notes as psychotherapy notes as defined by HIPAA.
HIV/AIDS Information
Many states require separate, specific authorization. Some require witness signatures or additional disclosures about re-disclosure risks.
Genetic Information
GINA (Genetic Information Nondiscrimination Act) adds protections that may require specific authorization language.

Managing Revocation Rights

Clients can revoke their authorization at any time. Your ROI form must clearly state this right. When a client revokes, you must stop disclosures immediately. You are not required to retrieve information already sent, but you cannot send additional information after revocation.

Revocation Protocol

Accept verbal revocation immediately, but request written confirmation
Document the date, time, and method of revocation in the client file
Notify the receiving party that authorization has been revoked
Update your records management system to flag the expired authorization
Send written acknowledgment to the client confirming revocation received

When Authorization Is NOT Required

HIPAA permits disclosure without client authorization in specific circumstances. Understanding these exceptions helps you respond appropriately to various requests without unnecessarily delaying care or violating regulations.

Permitted Without ROI

• Treatment coordination between providers
• Payment and billing operations
• Healthcare operations and quality review
• Legally required disclosures
• Public health reporting
• Serious threat to health or safety

Always Requires ROI

• Disclosure to family members (unless emergency)
• Release to employers
• Disclosure for marketing purposes
• Sale of PHI
• Disclosure to attorneys (client or third party)
• School or educational records

Common ROI Mistakes to Avoid

After reviewing hundreds of ROI forms from different practices, certain errors appear repeatedly. These mistakes can invalidate your authorization and expose you to liability.

Top 7 ROI Mistakes

1. Missing or blank expiration date field
2. Vague information descriptions ("all records")
3. No statement about right to revoke
4. Using standard ROI for 42 CFR Part 2 records
5. Failing to get new authorization when purpose changes
6. Accepting undated signatures
7. Not verifying legal representative authority

Digital and Electronic ROI Considerations

Electronic signatures are valid for ROI forms, but you need proper systems in place. The E-SIGN Act and UETA allow electronic signatures, but you must be able to verify identity and maintain an audit trail.

Electronic ROI Requirements

Identity verification: Secure login, multi-factor authentication, or verified email
Intent to sign: Clear indication that submitting constitutes signature
Audit trail: Timestamp, IP address, and signature capture method documented
Accessibility: Client must be able to download or print signed copy
Retention: Electronic records must be maintained for required retention period

Frequently Asked Questions

Can a client authorize release of only part of their record?

Yes. Clients have the right to limit what information is shared. If they only want diagnosis codes released without progress notes, you must honor that limitation. Document the specific scope clearly on the ROI form.

What if a parent wants their adult child's records?

Adults must provide their own authorization. Being a parent does not grant automatic access to an adult child's mental health records. The only exceptions are legal guardianship or healthcare power of attorney.

How long should I keep expired ROI forms?

Retain expired authorizations for at least 6 years from the date of last disclosure made under that authorization. Some states require longer retention. Check your state requirements.

Can I refuse to release records even with a valid ROI?

Generally, no. With a valid authorization, you are required to provide the specified records. However, you may delay or limit disclosure if you believe it would cause serious harm to the client. Document your reasoning carefully.

What if the receiving party asks for more than the ROI specifies?

Only release what is specifically authorized. If they need additional information, request a new or amended authorization from the client. Never expand disclosure beyond the written scope.

Do I need a new ROI if the client changes therapists within my practice?

It depends on how your ROI is written. If it authorizes disclosure from your practice or organization, internal transfers may be covered under treatment coordination. If it names a specific therapist, you may need updated authorization.

Key Takeaways

1. Every valid ROI requires all 8 HIPAA elements. Missing even one can invalidate the entire authorization.
2. Specificity protects everyone. Describe exactly what records, from what dates, for what purpose.
3. Set reasonable expiration dates. Avoid open-ended authorizations that never expire.
4. Special categories require special forms. Standard ROIs are not sufficient for substance abuse records, psychotherapy notes, or HIV information.
5. Document revocations immediately. When a client withdraws authorization, stop disclosures and document the revocation.
6. When in doubt, get a new authorization. It takes less time than defending an improper disclosure.

Getting your ROI process right protects your clients, your practice, and your peace of mind. Take time to review your current forms against these requirements. If anything is missing or vague, update your templates before the next disclosure request lands on your desk.