Key Takeaways
An authorization for release of confidential information is a legally required form that allows patients to permit healthcare providers to share protected health information (PHI) with named recipients.
HIPAA regulations require authorizations to include: description of information, recipient name, purpose, expiration date/event, patient signature and date, and the right to revoke without penalty (45 CFR § 164.508).
Substance use disorder (SUD) records fall under stricter 42 CFR Part 2 confidentiality rules and require a separate, specific authorization with enhanced language and protections.
Practice management software like Pabau automates authorization collection through digital forms and stores signed documents securely, cutting out manual paper workflows.
Download your free authorization for release of confidential information template
A HIPAA-compliant consent form covering patient details, information to be released, purpose of disclosure, recipient information, expiration date, patient rights, signature, and regulatory compliance language for mental health, therapy, and general healthcare practice workflows.
Download templatePatient confidentiality is foundational to healthcare practice. In fact, it’s one of the most heavily regulated aspects of running a practice. Whether you’re a therapist releasing mental health records, a primary care physician sharing patient information with a specialist, or an addiction treatment provider navigating substance use disorder confidentiality, you need to get the authorization for release of confidential information form right.
HIPAA civil penalties range from roughly $145 to $73,011 per violation. The annual cap reaches $2,190,294 per violation category, and HHS adjusts these figures periodically for inflation. On top of that, state-level privacy laws add even stricter penalties.

This guide explains what an authorization for release of confidential information is and when it’s legally required. It also covers how to complete the form correctly. Finally, it shows how Pabau Scribe, our AI scribe, helps practices manage these forms with zero compliance risk.

What is an authorization for release of confidential information?
An authorization for release of confidential information is a written, signed legal document. Specifically, it permits a healthcare provider to disclose a patient’s protected health information (PHI) to a named third party. In addition, it represents a patient’s explicit consent. Federal law requires this consent for most non-treatment, non-payment, and non-operations disclosures under HIPAA.
For instance, a Notice of Privacy Practices simply informs patients of their rights, and a general consent-to-treatment form works the same way. An authorization for release of confidential information works differently: it’s specific. It names exactly what information you can share, with whom, for what purpose, and for how long. Without it, sharing patient records, even with another healthcare provider, counts as a breach.
- Legal basis: 45 CFR § 164.508 (HIPAA Privacy Rule)
- Typical use cases: sharing records with family members, employers, insurance companies, attorneys, other practices, or researchers
- Not required when: disclosure is for treatment, payment, healthcare operations, legal subpoenas (with court order), or public health reporting
- Signature requirement: must be signed and dated by the patient (or legal guardian for minors/incapacitated individuals)
- Revocation right: patients can revoke in writing at any time, except where action has already been taken
How to complete and use the form
Completing and collecting these forms correctly is the difference between a compliant practice and a HIPAA liability. Follow these five operational steps to keep every authorization legally defensible and clinically appropriate.
Confirm eligibility and complete the form
- Determine if the disclosure requires authorization. First, check the purpose of the disclosure. Treatment-related sharing, payment-related sharing, and healthcare operations don’t need a separate authorization — standard NPP consent already covers them. Examples include consulting another provider on a patient’s care (including telehealth consultations), a billing inquiry, or credentialing. However, all other disclosures require a mandatory authorization, such as family member requests, legal proceedings, employer verification, and third-party research.
- Complete all required elements before the patient sees the form. Staff should pre-fill the practice name, practice address, provider name, date, and the recipient’s name and title. Do NOT leave blanks: incomplete authorizations aren’t legally valid, and recipients or regulators may reject them. The patient is then responsible for their name, date of birth, signature, and date of signature.
Collect, document, and track the signed form
- Have the patient sign and date in person (or via esignature). Because electronic signatures are legally binding under the U.S. Federal ESIGN Act (15 U.S.C. § 7001), digital collection is compliant. Collect a wet signature only if your state requires it; esignature alone is sufficient in most US jurisdictions. Keep the signed copy in the patient record. Then send the original or a certified copy to the recipient within 5 business days of receipt.
- Document the release in the patient chart. Note the date the patient signed the authorization, the recipient, the purpose, and the date and time you sent the information. This audit trail proves compliance during a regulatory review or patient dispute.
- Set a calendar reminder for the expiration date. Additionally, most authorizations are valid for 6 months to 1 year (specify in the form). After expiration, you cannot release information under that authorization — the patient must sign a new form. For ongoing disclosures like treatment coordination, consider an authorization that expires on a specific event instead of a calendar date. For example, you might use language such as “upon discharge from treatment.”
Who this form is for
Any practice that holds patient information and receives requests to share it needs a compliant authorization process. For example, common users include:
- Mental health clinics (therapy, psychology, psychiatry): therapists and counselors routinely receive requests from family members, employers, courts, or educational institutions to release mental health records. In this setting, mental health records carry heightened confidentiality protections.
- Therapy practices and counseling centers: psychologists and licensed therapists managing patient consent for record-sharing with other providers or third parties.
- Primary care and general practice: family medicine doctors, primary care physicians, and nurse practitioners managing patient requests to transfer records to specialists or new practices. Our HIPAA compliance checklist for primary care covers related documentation requirements.
- Addiction treatment and substance use disorder (SUD) programs: practices treating patients for alcohol or drug abuse fall under 42 CFR Part 2 (federal substance use confidentiality rules), which require enhanced authorization language and stricter protections. See our addiction treatment plan template for related documentation.
- Occupational therapy, physical therapy, and rehabilitation practices: therapists releasing patient progress notes to insurance companies or referring physicians, often billed under codes like CPT code 97162.
- Integrative medicine and functional medicine practices: practitioners coordinating care with conventional medical providers and requesting patient consent to share records, frequently through a HIPAA-compliant CRM.
Benefits of using this form
Compliance and legal benefits
Legal protection: A signed, properly completed authorization shields your practice from HIPAA violations and state privacy law breaches. It documents informed patient consent and creates an audit trail. Regulators, including HHS Office for Civil Rights, CMS, and state health departments, expect to see this trail during compliance reviews and breach investigations.
In addition, some practices pair this with a broader HIPAA authorization form template for general-purpose disclosures.
Efficiency and trust benefits
Workflow efficiency: Because standardized authorization forms reduce administrative burden, staff save time on every disclosure. Staff don’t have to custom-write disclosure letters or negotiate scope with patients. Instead, the form clarifies exactly what the practice is sharing, with whom, and why.
As a result, digital patient intake forms eliminate manual printing, scanning, and filing, saving 10-15 hours per month for mid-sized practices.
Patient transparency: An authorization ensures patients understand what records the practice is releasing and to whom. This builds trust and reduces disputes over “I didn’t know you were sharing my information with my employer.” Meanwhile, clear, HIPAA-aligned language, backed by secure EHR security, makes patients feel in control of their own data.
Regulatory readiness: Practices that maintain signed, complete authorizations for every disclosure pass HHS OCR audits and state health department reviews faster. They also see fewer findings. As a result, regulators frequently cite missing or incomplete authorizations as violations during inspections. Therefore, many practices track this with dedicated HIPAA compliance software that flags missing authorizations before an audit happens.
Pro Tip
Audit your current authorization process: pull 10 random patient records from the last 3 months, and verify that every disclosure has a signed authorization on file (records sent to specialists, insurance companies, family members, or other practices). If any disclosures lack signed authorizations, document the gap and put a corrective action plan in place. This self-audit is the best defense against future compliance findings.
State-specific variation in authorization requirements
While HIPAA sets the federal floor, individual states additionally impose stricter requirements for release of confidential information. A form that meets federal HIPAA standards may not comply with your state’s privacy laws.
- California (CMIA): because the California Confidentiality of Medical Information Act requires that authorizations be signed and dated, include an expiration date, and contain specific language about the patient’s right to revoke, a generic form often falls short. A generic HIPAA form is often insufficient; many California practices use dual forms (HIPAA + CMIA language).
- Texas: Texas Occupations Code § 159.005 requires authorizations for mental health records; the form must include the specific information being released and the named recipient. Blanket authorizations are not permitted.
- Tennessee: Tennessee Code Annotated § 33-3-107 governs mental health records disclosure. Therefore, many Tennessee authorizations must reference both state law and HIPAA for full compliance.
- Massachusetts: Mass.gov DPH publishes a model authorization for release of confidential information; many practices in Massachusetts use this as the baseline and customize it.
Best practice: obtain your state’s model authorization (if available) and cross-reference it with your HIPAA form. If your state has stricter language requirements, integrate them into your standard template. When in doubt, consult your state’s health department or a healthcare attorney.
Electronic signatures on this form
Because the U.S. Federal ESIGN Act (15 U.S.C. § 7001) explicitly permits electronic signatures on healthcare documents, practices can use them for authorizations for release of confidential information. As a result, an electronically signed authorization is legally equivalent to a wet signature and is binding under federal law.
- Electronic signature platforms (Docusign, Adobe Sign, HelloSign): HIPAA-compliant esignature services maintain audit logs showing who signed, when, and from which IP address. These are admissible as evidence in regulatory reviews.
- Patient portal esignature: if your practice uses a patient portal with digital forms capability, patients can sign authorizations directly on their mobile device or computer. The system records the timestamp and stores the signed PDF in the patient record automatically.
- Hybrid approach (wet + digital): some practices print the form, have the patient sign it in the office, and then scan and store the PDF in the EHR. This hybrid approach covers both traditional and digital workflows.
- State-level exceptions: a small number of states (e.g., some territories, specific healthcare contexts) may require wet signatures for certain documents. Check your state’s eSignature laws if you’re unsure; when in doubt, collect both.
Overall, electronic collection of authorizations is faster, reduces manual filing errors, and creates an automatically timestamped audit trail. Read more about running a paperless, HIPAA-compliant practice if you’re still relying on printed forms.
Ready to streamline authorization collection? Book a demo to see how Pabau’s digital forms handle authorization workflows, including electronic signature capture, automatic document storage, and compliance audit trails, all in one platform.
42 CFR Part 2: Authorization for substance use disorder records
Because substance use disorder (SUD) treatment records are among the most heavily protected health information in the US healthcare system, extra rules apply. Specifically, they fall under 42 CFR Part 2 (federal substance use confidentiality regulations), which imposes stricter rules than standard HIPAA.
- Stricter confidentiality standard: because of 42 CFR Part 2, disclosure of SUD records is prohibited if the patient lacks legal capacity. It also blocks disclosure when sharing the records would cause harm, even with a HIPAA-compliant authorization on file. This sets a higher bar than HIPAA, which requires only consent.
- Separate authorization required: because SUD records need extra protection, you cannot use a general medical record authorization to release this information. Instead, the authorization must state that it covers SUD treatment records and include SAMHSA-mandated language. Practices offering behavioral health counseling alongside SUD treatment should confirm both service lines use the correct authorization.
- No re-disclosure: once you release SUD records, the recipient cannot share that information with a third party. Instead, they need a new, separate authorization from the patient first.
- Prohibition on use for discrimination: the authorization must include a notice: “This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). Federal law prohibits any further disclosure of this information except as specifically allowed by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2.”
For this reason, SUD practices and addiction treatment programs must use a separate authorization form specifically for substance use disorder records. The Pabau authorization for release template above includes standard HIPAA language; SUD practices should customize it to add the 42 CFR Part 2 disclosures and prohibitions.
Consult SAMHSA’s 42 CFR Part 2 guidance for the exact required language for your state and program type.
Conclusion
An authorization for release of confidential information is the legal cornerstone of patient privacy in healthcare. Whether you’re releasing mental health records, SUD treatment information, or general medical records, a signed, complete form protects your practice. It also respects patient autonomy and ensures compliance with HIPAA, state privacy laws, and regulations like 42 CFR Part 2.
Download the free template above, customize it for your state and specialty, and integrate it into your patient intake workflow. For streamlined digital collection, schedule a demo with Pabau. You’ll see how practice management software automates authorization workflows and keeps your practice audit-ready.
Continue your research
Need guidance on HIPAA compliance beyond authorizations? Compliance management features help practices audit documentation, audit trails, and regulatory readiness across all patient touchpoints.
Looking for a template for a specific treatment type? Group therapy informed consent and psychiatric evaluation templates are available alongside authorization forms.
Documenting mental health assessments? Our newly published anxiety nursing diagnosis template gives you a structured starting point.
Managing broader patient documentation? Our diabetes medication list and EMT patient assessment templates are also available for practices handling chronic care and emergency intake.
Frequently asked questions
An authorization for release of confidential information is a signed, written legal document that permits a healthcare provider to disclose a patient’s protected health information (PHI) to a named third party. It is required by HIPAA (45 CFR § 164.508) for most non-treatment, non-payment, and non-operations disclosures.
An authorization is required whenever you disclose PHI for purposes other than treatment, payment, or healthcare operations. Common triggers include requests from family members, employers, insurance companies, attorneys, educational institutions, or researchers. Disclosures for treatment coordination with another provider, billing inquiries, or credentialing do not require a separate authorization.
Yes. Patients have the right to revoke an authorization in writing at any time, except where action has already been taken in reliance on the authorization (45 CFR § 164.508(b)(5)). Keep a dated record of revocations and immediately halt further disclosures under that authorization.
Yes. Electronic signatures are legally binding under the U.S. Federal ESIGN Act (15 U.S.C. § 7001) and are HIPAA-compliant. Esignature platforms like Docusign and patient portal signing systems create timestamped audit logs and are admissible as evidence in regulatory reviews.
42 CFR Part 2 is a federal regulation that governs substance use disorder (SUD) treatment records. It imposes stricter confidentiality rules than HIPAA and requires a separate, specific authorization with mandated language. SUD practices must use a dedicated form that includes SAMHSA-required disclosures and prohibitions on re-disclosure.
HIPAA civil penalties range from roughly $145 to $73,011 per violation, with an annual cap of up to $2,190,294 per violation category (figures adjusted periodically by HHS), plus potential civil lawsuits from the patient. State privacy laws (California CMIA, Texas Occupations Code, etc.) impose additional penalties. A single unauthorized disclosure can trigger regulatory investigations and reputational damage.