Management Practices for the Release of Information

Exchange of health information is an essential function to the provision of high-quality and cost-effective healthcare. The information should be complete and timely for its intended purpose. While this sounds straightforward, often it is not an easy task in the complex medical and legal environment in which the healthcare community operates. Release of information (ROI) in healthcare is critical to the quality of the continuity of care provided to the patient. It also plays an important role in billing, reporting, research, and other functions.

Many laws and regulations govern how, when, what, and to whom protected health information is released. The HIPAA privacy rule contains specific requirements for the management of health information to ensure confidentiality of the individual; the rule attempts to balance the need for prompt and informed delivery of healthcare services with that of protecting the individual.

Confusion occurs when state laws are mixed into the process. There is no standard, uniform state privacy law in use by all 50 states and the territories. State laws also vary in focus (e.g., HIV or genetic information) as well as degree of strictness or protectiveness of patient privacy. Some states require that additional patient authorization be obtained prior to release, some states do not. This variation in law requires that healthcare organizations develop, implement, and maintain thorough policies, processes, and procedures around ROI.

It is the overall management of those HIM processes that is fundamental to confidentiality, security, and compliance in releasing protected health information. It is crucial that the organization’s policies and procedures include the management practices that support the actual process of disclosure and its oversight. This practice brief discusses key management principles within HIM for the release of information in areas of quality control, productivity management, turnaround times, and backlog management.

Quality Control Practices

Quality control practices should be comprehensive enough to cover the release of information for any purpose. General practices should include the prioritization of any request upon receipt. An effective process incorporates continuity of care releases within the general policy. Whether the release is for continuity of care or a noncare-related purpose, quality control practices should address:

  • Tracking and monitoring the request from receipt through final disposition
  • Processing the request in terms of priority as well as efficiency
  • Completion of the request

These functions should be defined in departmental or organizational policies and should include compliance with all state and federal regulations that may apply to disclosure of health information.

The quality control approaches below are suggested critical actions that can be audited concurrently with the process flow or retrospectively over a period of time. New employees may require concurrent monitoring, while retrospective audit may provide information on training needs. An audit may be performed on a random sample of requests to determine if critical processes described below were performed.

Monitoring Receipt of the Request

Organizations can monitor the receipt of a request for information to determine if staff performed at a minimum the following actions:

  • Recorded the date and time the request was received
  • Identified the date and time the requested information was needed
  • Identified to whom the information was to be sent
  • Confirmed that the request included a valid authorization

Additional activities that assist in monitoring request receipt include:

  • Date and time of receipt is stamped or written directly on the request and recorded in a log so the request can be tracked from its entry into the work queue to its exit as a completed process
  • The minimum tracking data were entered appropriately; for example: patient name, medical record number, date of birth, date and time of receipt, name of requestor, due date, date and time of actual completion, method of transmission, and name of employee completing request

Tracking the Request

Many types of logs may be used to record and monitor request activity, from simple binders to specialized software. Release of information software is designed to facilitate tracking requests through their lifecycle. The software can aid management in monitoring staff performance, turnaround times by type of request, and other measures.

The tracking log referred to here is for management of the business process, not the accounting of disclosures function of HIPAA. Logs may also be created using simple database or spreadsheet programs. Electronic systems provide the ability to analyze data easily for monitoring purposes; for example, they can calculate turnaround time by subtracting the date of receipt from the date of actual completion.

Manual logs are appropriate in facilities that have minimal release of information activity. If manual logs are used, dividers assist in finding the request when updating its status. Dividers may be arranged alphabetically by patient last name or by the day of the month the request was received.

Both arrangements have advantages and limitations. A name is easier to find in an alphabetic listing, but it takes more time to enter and aging requests are more difficult to identify. When organized by the day of the month received, all requests are entered sequentially on that one day. The day of receipt can be marked on the actual request as a quick reference point back to the day for updating the status of the request. Outstanding open requests are easier to identify in this latter format.

It is important to ensure that all pertinent information is captured at the time the request is logged. Staff can flag requests for continuing care to distinguish them from the other types of requests routinely received, such as third-party payer, legal, and research requests.

Staff should prioritize requests by the date and time needed as they receive them. Requests for continuity of care require scrutiny in order to assign their appropriate placement in the priority queue. When this information is contained in the body of the request, it can be recorded in a consistent location to aid staff in organizing their work.

Processing the Request

Key elements of quality control in the processing of requests include verifying the completeness of the request, the authority of the requestor, the identity of the patient, and the appropriateness of the information requested.

Review the content. Staff should begin by verifying that requests for information contain all data required by internal policy and state and federal regulations. In all but emergency circumstances, this may include a requirement for a written request for release of medical information. Essential information may include complete and clear:

  • Identification of the patient, including contact information
  • Identification of the entity to which the information is to be provided, including contact information
  • List of information to be released

Verify the legal authority of the requestor . The person or entity requesting information must have legal standing to receive the information requested. Evidence of legal authority may require a witness signature or notary public seal on the request form, evidence of the relationship between the requestor and the patient, documentation from a court of competent jurisdiction, or other means. For requests considered routine (rather than emergency), this may require direct contact with the patient, where the care provider or requesting entity is not known to the healthcare organization processing the request.

Verify the patient. Prior to processing the request, staff must verify the patient’s identification, as provided in the request for release, against the organization’s master patient index to ensure the correct records are retrieved. The patient’s legal name, date of birth, gender, Social Security number, address, telephone number, guarantor, subscriber, or next-of-kin are key identifying elements that assist in establishing the proper individual. When there are multiple individuals whose demographics are similar, staff should complete additional investigation, such as comparing patient signature on the consent with consents contained in the medical record.

Verify appropriateness of information requested for release . Staff should review the content of the information being released to ensure that:

  • An authorization is not required. For patient care, an authorization is not required by HIPAA, but it may be required by state law.1
  • It conforms to the information that is requested.
  • Only the minimum necessary information required to comply with the request is provided.

Information that pertains to behavioral health or substance abuse care falls under more stringent state and federal regulations and requires particular care in the review of the request, authorization for release, and provision of the specified information to the entity designated to receive it.

The individual who reviews the processing of requests may vary by circumstances and the experience of the individual preparing the release. More experienced staff should double-check their own work prior to release, while a new employee may require oversight by a supervisor.

Completing the Request

The final aspect of the quality control process is evaluating the completion of the request. Critical questions include:

  • If the content of the request does not meet the organization’s required elements, was the request returned to the requestor with an explanation of the additional information required?
  • If the content of the request meets the requirements, was the request processed in accordance with the organization’s policies and procedures?
  • Was the information directed only to the individual or entity designated in the authorization for release of the information?
  • Was the information released recorded for internal auditing and record?
  • If a patient picked up the information in person, was there a process in place to verify that person’s identity?
  • Was the information delivered to the designated entity in accordance with the organization’s policies and procedures?

At this point, the request is complete.

Productivity, Turnaround Times, and Backlog Management

Good management of the ROI process requires productivity standards to facilitate continuity of care. These include a turnaround time goal and measures to address backlog management. The content of such standards must conform to applicable state and federal law as well as the organization’s policies, procedures, and mission and business strategies.

The measures enumerated here are guidelines that should be viewed as the minimum essential standards organizations address in developing their internal policies. Organizations may choose to give higher priority to requests related to continuity of care than they accord requests received from other categories of requestors. This priority facilitates the provision of more timely, higher quality, and safer patient care.

Productivity Management

While productivity information may be collected manually, electronic systems offer more tools for data manipulation and can provide individual production statistics, departmental request volumes, and information regarding request turnaround times.

Regardless of method, using statistics to manage productivity requires:

  • Capture of accurate volumes of incoming requests by request type
  • Tracking staff members who complete the various ROI functions
  • Collection of date and time of key processes to determine processing and turnaround times
  • Date and time the information was made available to the requestor
  • Media or method used to deliver the information, such as fax, post, courier, picked up in person, and released electronically.

Managing Turnaround Times

In order to measure the time taken to fulfill requests involving continuity of care, each organization must establish acceptable standards for turnaround time. Standards should vary depending on the type of request. A request on a patient who is in an emergency room or physician’s office requires a much shorter turnaround time than a request for a scheduled appointment the following day or the following month. Organizations determine their internal turnaround time expectations, staff to those requirements, and then measure their compliance over time.

Assembling aggregate data by type of request provides concrete information with which to evaluate compliance. When this parameter is not routinely met, evaluation of processes, request volumes, and staff performance provide information needed to make adjustments.

Backlog Management

Timely fulfillment of requests that ensure continuity of care aligns with the overall mission of most healthcare organizations. Thus these types of requests frequently take precedence over other categories of requestors. Monitoring the volume of backlog requests with the available resources and making appropriate staffing adjustments ensures the patient’s needs are being met.


Release of information processes are often full of questions and require some evaluation before the request can be fulfilled. For HIM professionals, the biggest challenge comes in finding the balance between guarding privacy, maintaining legal compliance, and facilitating quality patient care through information sharing. There is a fine line between them, and it is the knowledge and expertise of the HIM professional that manages that balance.

Whether release of information processes are managed in-house or through a subcontractor, the routine monitoring of ROI procedures and the quality of work performed is good management practice. An organization can write policies and define procedures, but it has no way to know they are working without performing a periodic check-up. There is no “cookie-cutter” approach to requests of information, but there are specific tasks that can ensure acceptable and compliant performance. These include:

  • Comprehensive facility-specific procedures that are documented, current, and easily accessible to staff
  • Access to appropriate state and federal regulation references
  • Training programs for new staff members
  • Education programs for current staff members
  • Regular review of work performed to ensure standards are met
  • Compilation of performance statistics
  • Routine feedback to individual ROI staff regarding performance criteria
  • Solicitation of feedback from requestors

Regardless of the method an organization chooses to evaluate ROI performance, it is the organization’s overall management practices that define the foundation for accurate and compliant release of information.


  1. Hjort, Beth. “Consent for Uses and Disclosures of Information (Updated).” October 2002. Available online in the FORE Library: HIM Body of Knowledge at

Prepared by

Linda J. Bock, RHIA

Barbara Demster, MS, RHIA, CHCQM

Angela K. Dinh, MHA, RHIA

Elisa R. Gorton, RHIA, MAHSM

James R. Lantis, Jr., MHA, RHIA

The information contained in this practice brief reflects the consensus opinion of the the professionals who developed it. It has not been validated through scientific research.

Article citation:
Bock, Linda J.; Demster, Barbara; Dinh, Angela K.; Gorton, Elisa R.; Lantis, James R. Jr.. "Management Practices for the Release of Information" Journal of AHIMA 79, no.11 (November 2008): 77-80.