Vernal Health

What Is a HIPAA Release Form? A Plain-Language Guide for Therapists

April 19, 2026

If you've ever had a patient ask you to share their records with another provider, an attorney, or a family member, you've needed a HIPAA release form. But for many therapists in private practice, the specifics of what that form needs to contain — and when it's actually required — remain fuzzy.

This guide breaks it down in plain language.

The Short Answer

A HIPAA release form (formally called an Authorization for Release of Protected Health Information) is a document that gives you, as a provider, legal permission to share a patient's health information with a specific person or organization outside of what's allowed under routine treatment and payment activities.

Without a valid signed authorization, sharing that information is a HIPAA violation — regardless of whether the request seems reasonable.

When Do You Need One?

Most day-to-day information sharing in a therapy practice doesn't require a release form. Sharing records with a specialist you're coordinating care with, submitting a claim to a patient's insurance company, or consulting with a colleague for treatment purposes are all generally permitted under HIPAA's "Treatment, Payment, and Healthcare Operations" (TPO) exception.

A signed release form is required when you want to share information outside of TPO — the most common situations being:

  • Sending records to a patient's attorney or the courts
  • Sharing information with a family member or third party at the patient's request
  • Releasing records to an employer or school
  • Participating in research or marketing activities
  • Disclosing information to another provider who is not directly involved in the patient's care

If you're unsure whether a particular disclosure requires a release, the safest default is: get one anyway.

What Must a Valid HIPAA Release Form Include?

Under the HIPAA Privacy Rule (45 CFR, Section 164.508), a valid authorization must contain eight specific elements:

  1. A description of the information to be disclosed (e.g., "psychotherapy notes from January 1, 2025 to present")
  2. The name of the person or organization authorized to make the disclosure (you, the provider)
  3. The name of the person or organization receiving the information
  4. A description of the purpose of the disclosure
  5. An expiration date or expiration event (e.g., "one year from signing" or "upon completion of legal proceedings")
  6. The patient's signature and the date signed
  7. A statement that the patient has the right to revoke the authorization in writing
  8. A statement that the provider may not condition treatment on whether the patient signs the authorization

If any of these elements are missing, the form is not valid under federal law — and you cannot rely on it.

A Special Note on Psychotherapy Notes

Psychotherapy notes (your private process notes kept separately from the medical record) have extra protections under HIPAA. They require their own standalone authorization — you cannot bundle psychotherapy notes into a general records release. This is one of the most common compliance mistakes in mental health practices.

If you're in a state with additional protections for substance use records, HIV/STI information, or reproductive health records, those may require separate authorizations as well.

Common Mistakes Therapists Make

  • Using a generic template without reviewing it. Many therapists download a form from the internet without verifying it meets current HIPAA requirements. Templates go stale, and requirements vary by state.
  • No expiration date. A release without an expiration date or event is not HIPAA-compliant. Every authorization needs a defined end.
  • Not keeping a copy. You're required to maintain a copy of every signed authorization in the patient's record. This is your protection if a disclosure is ever questioned.
  • Verbal authorizations. A phone call from a patient saying "go ahead and send my records" is not sufficient. Authorizations must be in writing and signed.

The Bottom Line

A HIPAA release form isn't just bureaucratic paperwork — it's your legal documentation that a patient consented to a specific disclosure. Getting it right protects your patients and protects your practice.

Using a purpose-built digital form tool that generates HIPAA-compliant authorizations, tracks signatures, and stores records automatically removes most of the room for error. That's exactly what Vernal Forms was built to do for small therapy practices.

© 2026 Vernal Health

Blog

·

Privacy Policy

·

Terms of Service