In 2023, a mid-sized hospital system in the Midwest paid $125,000 to settle an OCR investigation after it disclosed patient records based on an authorization form that lacked several required elements. The form had been in use for nearly four years before anyone caught the deficiency. If your organization uses a release of information form under HIPAA that hasn't been reviewed against the Privacy Rule's explicit requirements recently, you may be carrying the same risk.

What the HIPAA Privacy Rule Requires in a Release of Information Form

The Privacy Rule at 45 CFR § 164.508 spells out exactly what constitutes a valid authorization for the use or disclosure of protected health information. A release of information form under HIPAA is not a generic consent — it is a specific, legally binding document that must contain every element the regulation demands, or the disclosure it supports is unauthorized.

OCR has enforced this distinction repeatedly. A valid HIPAA authorization must include all of the following core elements:

  • A specific description of the PHI to be used or disclosed
  • The name or specific identification of the person or entity authorized to make the disclosure
  • The name or specific identification of the person or entity to whom the covered entity may make the disclosure
  • A description of each purpose of the requested use or disclosure (the individual may state "at the request of the individual" if they initiate it)
  • An expiration date or expiration event that relates to the purpose of the authorization
  • The individual's signature and date

Miss even one of these elements, and the authorization is defective. Under 45 CFR § 164.508(b)(1), a covered entity may not rely on a defective authorization to release protected health information.

Required Statements Most Organizations Forget to Include

Beyond the core elements, HIPAA mandates three specific statements that must appear on every release of information form. In my work with covered entities, these are the elements I see missing most frequently.

First, the form must include a statement about the individual's right to revoke the authorization in writing. Second, it must describe any exceptions to that right to revoke — for example, if the covered entity has already acted in reliance on the authorization. Third, the form must include a statement that information disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer protected by HIPAA.

Additionally, if a covered entity is conditioning treatment, payment, enrollment, or eligibility on the authorization, the form must state that clearly. If it is not conditioning any of those, the form must state that as well. There is no middle ground — one statement or the other must appear.

The Minimum Necessary Standard and How It Intersects With Authorizations

Here's a nuance that catches many compliance officers off guard: the minimum necessary standard under 45 CFR § 164.502(b) does not apply to disclosures made pursuant to a valid patient authorization. When a patient signs a properly executed release of information form, the covered entity may disclose exactly what the authorization describes — no more, no less.

That said, the description of PHI on the authorization must still be specific. "All medical records" may be what the patient wants, but your workforce should be trained to verify that the form reflects the patient's actual intent. Vague or overbroad authorizations create downstream liability even when they are technically valid.

Common Compliance Failures With HIPAA Release of Information Forms

OCR investigations and enforcement actions reveal recurring patterns in how organizations mishandle these forms:

  • Using compound authorizations improperly. The Privacy Rule prohibits combining an authorization for the use or disclosure of psychotherapy notes with an authorization for other types of PHI. These must be on separate forms.
  • Failing to provide a copy to the patient. Under 45 CFR § 164.508(c)(4), the individual must receive a copy of the signed authorization. Many organizations skip this step entirely.
  • Accepting expired authorizations. If the expiration date or event has passed, the authorization is no longer valid. Your health information management team must verify this before every disclosure.
  • Not documenting the authorization properly. HIPAA requires covered entities to retain authorization forms for six years from the date of creation or the date it was last in effect — whichever is later.

Business Associate Obligations and the Release of Information Process

Many covered entities outsource their release of information function to a business associate — a third-party vendor that processes disclosure requests on behalf of the covered entity. If your organization does this, the business associate agreement must explicitly address the vendor's obligations under the Privacy Rule, including ensuring that only valid authorizations are honored.

Under the Omnibus Rule, business associates are directly liable for HIPAA violations. If your vendor releases PHI based on a defective authorization, both your organization and the vendor face potential enforcement action from OCR.

Build Workforce Competency Around Authorization Requirements

The most well-drafted release of information form is useless if your workforce doesn't know how to verify it. Staff in health information management, front desk operations, and patient access must be able to identify every required element and reject deficient forms before a disclosure occurs.

This is not a one-time orientation topic. The Privacy Rule at 45 CFR § 164.530(b) requires training on policies and procedures for every workforce member whose functions are affected by the material — and the authorization process affects nearly everyone who touches patient records. Investing in thorough HIPAA training and certification for your team ensures that authorization verification becomes a practiced skill, not a guessing game.

Practical Steps to Audit Your Current Release of Information Form

Pull your organization's current authorization form today and walk through this checklist:

  • Does it contain all six core elements listed in 45 CFR § 164.508(c)(1)?
  • Does it include all three required statements — right to revoke, re-disclosure risk, and conditioning of treatment?
  • Is the description of PHI specific enough to guide your disclosure staff?
  • Does the form separate psychotherapy notes from all other PHI authorizations?
  • Does your workflow include providing a copy to the patient after signing?
  • Are signed forms retained for the required six-year period?

If even one answer is no, you have a compliance gap that needs immediate attention. OCR does not require perfection, but it does require documented, good-faith effort to comply — and a defective authorization form undermines that effort at its foundation.

Your organization's Notice of Privacy Practices should also inform patients of their right to authorize disclosures. Review that document alongside your authorization forms to ensure consistency. For a comprehensive approach to building privacy compliance across your workforce, explore the resources available through HIPAA Certify's workforce compliance program.

A valid release of information form is not just a piece of paper — it's the legal mechanism that permits your covered entity to share protected health information. Treat it with the same rigor you apply to your risk analysis, your security controls, and your breach notification procedures. The regulatory consequences of getting it wrong are entirely avoidable.