Welcome Policy User | Behavioral Health & Developmental Disabilities
Tutorials | | What's New

Viewing: Authorization for Release of Information (ROI) Forms, 23-110

Table of Contents

Current Status: Active PolicyStat ID: 1440738

Authorization for Release of Information (ROI) Forms, 23-110


State laws and regulations on confidentiality of mental health, developmental disabilities, and addictive disease information, as well as other health information, govern the Department of Behavioral Health and Developmental Disabilities (DBHDD) and its facilities, as defined herein. DBHDD is also a "covered entity" as defined in, and as governed by, the Health Insurance Portability and Accountability Act of 1996 and its regulations (HIPAA).

This policy is therefore applicable to any facility or program that is a part of DBHDD, including the state office, regional offices, state operated DBHDD hospitals and any state operated community programs. All employees, agents, trainees, volunteers and contractors of DBHDD shall abide by federal and state laws and regulations regarding confidentiality, relevant DBHDD policies and procedures, and all federal laws regarding the disclosure and use of confidential and protected health information. DBHDD providers, as defined herein, who are under contract or have a letter of agreement with DBHDD through DBHDD and its Regional Offices have an independent duty to follow state confidentiality laws; if they are also covered entities under HIPAA, they have an independent duty to follow HIPAA and its regulations. If they also conduct business functions on behalf of DBHDD, they are also business associates of DBHDD and must comply with applicable provisions of the HIPAA through a Business Associate Agreement with DBHDD.


Confidential medical records and other protected health information may be requested by individuals who have received services or by other parties. Protected health information about individuals may be disclosed on the basis of a valid authorization signed by an individual who has capacity to sign, or by a person authorized by law to sign for the individual. DBHDD has an official form Authorization for Release of Information that meets the requirements of the Health Insurance Portability and Accountability Act of 1996 and its accompanying regulations (HIPAA). The official form is to be utilized when DBHDD is requesting that an individual or authorized person sign an authorization for release of information. When an individual is requesting release of information of records from a DBHDD state owned or operated facility, the official form should be utilized.

When there is a regular or frequent need for Authorization for Release of Information for a certain type of transaction, such as for the DUI Intervention Program, DBHDD can create an official authorization form that is partially completed (for instance, stating the recipient of information, the purpose of the disclosure, etc.). Staff may request that such a specific-use Authorization form be created and placed in this Policy for ease of access and use.

Authorization forms that are not official DBHDD forms included in this policy must be reviewed for compliance with HIPAA; staff should contact the hospital attorney, an attorney in the DBHDD Office of Legal Services, or the DBHDD HIPAA Privacy Officer for assistance.


Authorization - Permission by an individual or a person legally authorized to consent on the individual's behalf, to the release or use of protected health information relating to the individual.

Disclosure - The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. Disclosure includes the affirmative verification of another person's communication of individually identifiable health information, or the communication of any information from the record of an individual who has been identified. "Release" also means disclosure, for purposes of this policy.

Individually identifiable health information - Any information, including demographic information collected from an individual, that is (1) created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Individually identifiable health information contains some or all of the following identifying elements:

  • Name 
  • All address information 
  • Zip codes 
  • E-mail addresses 
  • Dates (except year) directly related to an individual, including dates of birth, admission, discharge, death 
  • Age, if over 89 years 
  • Telephone numbers 
  • Fax numbers 
  • Social Security number 
  • Medical record numbers 
  • Health plan beneficiary numbers 
  • Account numbers 
  • Certificate numbers 
  • License numbers 
  • Device identifiers 
  • URLs 
  • IP addresses 
  • Facial photographs 
  • Biometric identifiers 
  • Any other unique identifying number, characteristic, or code

Protected Health Information - All individually identifiable health information (e.g., name, diagnosis, medical record number, billing information, etc.) that is transmitted or maintained by a covered entity in any form or medium, including orally. See "individually identifiable health information," above. Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by DBHDD in its role as employer. Protected health information also excludes information regarding an individual who has been deceased for more than 50 years; however, such information remains confidential and private under state law and under federal laws protecting confidentiality of alcohol and drug abuse patient records, and may not be disclosed without authorization or a legal exception to confidentiality.

Provider - Organizations or persons approved to serve individuals with mental illness, developmental disabilities and/or addictive diseases, wherein those services are financially supported in whole or in part by funds authorized through DBHDD. Providers typically have a contract or letter of agreement with DBHDD. (NOTE: For purposes of this policy, the term "provider" means only those entities which have contracts, letters of agreement or other legal or funding arrangements with DBHDD. See the separate and more general definition for "health care provider" as that term is used in this policy.)

Records - Any information, whether recorded or not, received or acquired in connection with an individual's treatment or services. "Records" includes administrative and other documentation (such as incident reports) that relates to and identifies an individual, regardless of whether it is part of the individual's clinical record.

Release - See definition of "disclosure."


  1. Below is the list of Authorization for Release of Information Forms based on their specific purposes:
    1. Standard Authorization for Release of Information (Attachment A).
    2. Driving Under the Influence (DUI) Intervention Program authorizations:
      1. Authorization for Release of Information for DUI Intervention Program to Provider (Attachment B1).
      2. Authorization for Release of Information to DUI Intervention Program (Attachment B2).
    3. Georgia Health Information Network (GaHIN) Authorization (Attachment C). For additional information, please see Georgia Health Information Network (GaHIN), 23-109.
  2. Staff who have identified a regular or frequent use of the official standard Authorization for Release of Information form may request development of a specific-use authorization form by contacting PolicyQuestions, the DBHDD HIPAA Privacy Officer, an attorney in the DBHDD Office of Legal Services, or their local HIPAA Coordinator.
  3. All official DBHDD specific-use authorization forms must be included in this policy. Staff will be instructed to access the form from this Policy or print copies from this Policy for regular use.
  4. In all cases, whether authorization is documented on a DBHDD form or a form prepared elsewhere (such as by the individual's attorney), disclosure of protected health information will comply with DBHDD policies and applicable state and federal laws and regulations.


42 United States Code Annotated, 290dd-2

42 C.F.R. Part 2

45 C.F.R. § 164.508.

Official Code of Georgia Annotated §§ 37-3-166 (Mental Illness); Chapter 4 of Title 37; 37-4-125 (Developmental disability); Chapter 7 of Title 37; 37-7-166 (Substance Abuse)

Rules and Regulations of the Department of Human Resources, Chapter 290-4-6, "Patients' Rights"; and Chapter 290-4-9, "Clients' Rights."


HIPAA and Confidentiality - All Policies, 23-000

Confidentiality and HIPAA, 23-100

Notice of Privacy Practices, 23-101

Confidentiality and HIPAA Privacy Complaints, 23-103

Disclosure of Confidential and Protected Health Information, 23-106

Confidentiality and HIPAA Practices Involving Business Associates, 23-107

Rights of Individuals regarding their Confidential and Protected Health Information, 23-105

Georgia Health Information Network (GaHIN), 23-109


Approval Signatures

Approver Date
Joetta Prost, Ph.D.: DBHDD Policy Director 3/31/2015
Betty Bentley Watson: Privacy Officer 3/30/2015
Joetta Prost, Ph.D.: DBHDD Policy Director 3/30/2015
Older Version Approval Signatures
Approver Date
Joetta Prost, Ph.D.: DBHDD Policy Director 3/31/2015
Betty Bentley Watson: Privacy Officer 3/30/2015
Joetta Prost, Ph.D.: DBHDD Policy Director 3/30/2015
Older Version Approval Signatures
Joetta Prost, Ph.D.: DBHDD Policy Director 1/7/2015