Authorization to Release Patient Information Policy

Policy: Authorization to Release Patient Information

Policy Number: 501 Policy Section: Health Information Management
Owner: Cynthia Grant Approved By: Paul Vogelman, COO
Effective Date: 2/04/2022 Date of Last Review: 3/24/2023


SUD Specialty Group -- CA; Mental Health Specialty Group, P.A.; Mental Health Specialty Group NJ, PC; and Mental Health Specialty Group KS, P.A. (collectively, the "Group") contracts with Path CCM, Inc. d/b/a Rula Health ("Rula") for management and administrative support services. This policy applies to the Group and Rula.


Policy Statement

This policy outlines the process for the use and disclosure of protected health information (PHI) pursuant to a written authorization. 



This policy applies to all team members who have access to and are authorized to release patient protected health information. For purposes of this policy, the Group’s and Rula’s team members include individuals who would be considered part of the workforce such as employees, independent contractors, business team members, and other persons whose work performance is under the direct purview of Rula or the Group’s  business practices.



Protected Health Information (PHI): is a subset (record or transmission) of health information, including demographic information collected from an individual. 

Use: is the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within Rula, or by a Business Associate of Rula.

Disclosure is the release, transfer, provision of access to, or divulging in any manner of PHI to persons not employed by or working within Rula with a business need to know PHI

Qualified service organizations: an organization that provides services to a 42 CFR Part 2 program and has a written agreement with Part 2 program that acknowledges that the organization will uphold the 42 CFR Part 2 regulation and the organization agrees to assist with any judicial proceedings to gain access to patient records bound by 42 CFR Part 2.


  1. Release of Information (ROI) Authorization
  1. A written release of information form is required to be completed prior to the use and/or disclosure of PHI, unless an exception exists or the use and disclosure is otherwise permitted pursuant to the Notice of Privacy Practices or required by law. The Privacy Officer can determine whether an authorization is needed prior to the release of information. 
  2. ROIs must consider both HIPAA and 42 CFR Part 2. The Notice of Privacy Practices details when information can be released without an authorization. 
    1. PHI may be disclosed without authorization, when 42CFR Part 2 does not apply, if the disclosure is:
      1. Requested by the client and/or their personal representative. 
      2. For the purposes of treatment, payment or operations. See HIPAA Patient Privacy and Confidentiality policy for more information. 
      3. To the Secretary of Health and Human Services for the purpose of determining compliance with the HIPAA Privacy Rule 
      4. Required by state or federal law
      5. In the event of an emergency 
      6. Other public health interest activities 
      7. When reporting child abuse or neglect when required by state law
    2. When 42 CFR Part 2 applies, the exceptions for releasing information without a signed authorization are as follows:
      1. Internal communications with those who need to know
      2. Pursuant to a court order 
      3. Medical emergencies (disclosure must be documented), or when there is a declared natural or other major disaster
      4. To report a crime or threats against to law enforcement
      5. To report child or elder abuse or neglect when required by state law
      6. Auditing activities related to Part 2 programs by government, payers or other lawful entities
      7. For research purposes
      8. To a qualified service organization

B. The provision of treatment is not conditioned on the receipt of an authorization except in the following limited circumstances:

  1. The provision of research-related treatment, or
  2. The provision of healthcare that is solely for the purpose of creating PHI for disclosure to a third party (i.e. performing an independent evaluation at the request of an insurer or other third party)

C. When a request to release information is received, the Privacy Officer, or authorized representative, will ensure that the authorization form is valid and complete.

  1. If the authorization is valid, records will be released within 30 days of the request. If more time is needed, the patient or requestor will be provided with written notification and reason for the delay. Thirty (30) additional days can be taken to complete the request.
  2. If the authorization is not valid, the requestor will be notified of the missing elements. 
  3. It is preferable, but not required, that the requester use the Rula Authorization for Release of Information form when requesting records be released. 
  4. An Authorization for Release of Information form cannot be modified after the patient or patient’s authorized representative signs it. 
  5. The Authorization for Release of Information form will be part of the patient’s designated record set.  
  6. It is not permissible to request the patient sign a blank Authorization to Release Patient Information form to be filled out at a later time.

D. Revocation of Authorization for Release of Information

  1. A patient may revoke an authorization at any time in writing. 
  2. Upon receipt of the written revocation, the Privacy Officer or authorized team member will write the effective date of the revocation on the original Release of Information form. 
  3. Upon receipt of the written revocation, a patient’s PHI will no longer be used or disclosed pursuant to the authorization. 
  4. The revocation will become part of the patient’s designated record set. 

Was this article helpful?

0 out of 0 found this helpful