Release of Medical Information

by | Apr 9, 2021 | Case Management, Open Source, Uncategorized | 0 comments


Organizations that process medical Release of Information (ROI) requests are racing against time to respond to requests within 30 days and meet HIPAA compliance regulations. Failure to respond on time is frightening as the HHS lists settlements spanning from $10 to $16 million.

While Requestors do pay for the copying and distribution of their data, this cost is just the tip of the iceberg. The vast cost of identity verification, tracking information, passing through PII filters, determining which Requestor gets access to what level of details, etc. is the lion’s share of the cost. According to some agencies, the actual cost vs. the billed fees has a 500% difference. These organizations end up doing the work and paying for the service.

Found between a rock and a hard place, organizations that process medical ROI requests have only one way to look for help: technology.

What is Release of Information (ROI)

Release of information

In a nutshell, ROI is a legal framework allowing patients/insurance companies/attorneys to request and gain access to medical and billing records held by healthcare providers. They can submit an ROI to a healthcare provider, and the organization is mandated by law to respond to this request within 30 days.

For better reference, here are a few direct quotes from the HIPAA Medical Records page (emphasis mine):

  • The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.
  • A provider cannot deny you a copy of your records because you have not paid for the services you have received.
  • However, a provider may charge for the reasonable costs for copying and mailing the records. The provider cannot charge you a fee for searching for or retrieving your records.
  • If you think the information in your medical or billing record is incorrect, you can request a change, or amendment, to your record. The health care provider or health plan must respond to your request. If it created the information, it must amend inaccurate or incomplete information.
  • If the provider or plan does not agree to your request, you have the right to submit a statement of disagreement that the provider or plan must add to your record.

So, release of medical information is a complex two-way operation that healthcare providers and health plans must perform every time a client makes an ROI request.

While the complexity of the task is daunting in and of itself, there is added legal pressure. As scary as this sounds, it is not the biggest problem. The major challenge in processing these release of medical information requests is the complexity of the task and the granularity of the legal framework.

In the sections below, we will first go over the legal challenges and then the technical complexity of gathering the requested information.

Legal Challenges of Processing ROI Requests

legal challenges of processing ROI reguests

The US has adopted the ROI as a way to enable citizens to gain access to their medical files in a reasonable timeframe. However, there is no standardized state privacy law that would be accepted by all 50 states and territories. Each state sets its own rules of who gets access to medical data, the extent of detail that different entities can receive and has different rules about specific medical information, like HIV details.

This legal complexity means that organizations need to set processes in place so that employees can do their job on time and within the law using complex policies and workflows.

According to AHIMA, unfortunately there is no cookie-cutter approach to managing requests of medical information. However, there are specific tasks that can ensure acceptable and compliant performance. These include:

  • Comprehensive facility-specific procedures that are documented, current and easily accessible to staff
  • Access to appropriate state and federal regulation references
  • Training programs for new staff members
  • Education programs for current staff members
  • Regular review of work performed to ensure standards are met
  • Compilation of performance statistics
  • Routine feedback to individual ROI staff regarding performance criteria
  • Solicitation of feedback from requestor

In such a complex landscape, health information managers (HIM) struggle to strike the right balance between preserving patient privacy, timely sharing of medical information and maintaining legal compliance.

Technical Challenges of Processing ROI Requests

The financial challenge of ROI processing

Usually, people who are not hands-on processing ROI requests think that the healthcare institution has all the records neatly organized in a single filing system. Then retrieving this information boils down to a few clicks, and that’s it.

HIMs would dream of such a scenario because the reality is that hospitals keep records in different specialized systems spanning from electronic medical records (EMR) systems, X-Ray images, audio/video recordings, digital files, microfilms, printed files, etc. This reality means that even getting to the required record is a challenge. Not to mention the rest of the workflow of performing all the legal checks mentioned in the previous section, combining all the requested information through an auditable process, and finally securely providing the records to the Requestor.

According to a survey performed by the Green Mountain Care Board from Vermont, the process of answering ROI requests is far more complex.

Just until recently, the primary data storage device was paper. Now, medical facilities face a significant cost of digitizing all their historical data in a single, unified document management system, and cost seems to be the reason why many organizations say they will continue using the existing hybrid approach to document management.

Furthermore, the ROI processing cost is high because medical documents are not as straight-forward (i.e. standard forms). When a patient requests a few years’ worth of medical data, a skilled health information manager needs to review each document that the facility has on the patient before releasing that information.

Things are even more complex when a third party is requesting medical information. In this scenario, the organization must ensure that no medical information is released without verifying that the requestor has the right to view that data under state laws. This means that the healthcare provider needs to have highly skilled staff who can perform these reviews who know about HIPAA and state laws.

Lastly, unfortunately, 50% of the medical facilities from the survey responded that having an EMR system does not make ROI processing easier. This, however, isn’t because the EMRs are to blame. It’s the old problem of having hybrid data management and the high up-front cost of digitizing everything into a single data storage location.

The Financial Challenge of ROI Processing

Most of the time when we hear of Requestors complaining about high fees, they’re talking about paying for ROI requests.

While each state has different regulations about what and how much Requestors get to pay, the breakdown of costs, as mentioned previously, is only covering the cost of copying/printing and mailing the packages.

There are law firms that compile these figures, but there’s also the US Government Accountability Office that issues update on fees and pricing that facilities can include in their invoice for any ROI. While Requestors claim the fees are too high, medical facilities have a different story to tell.

According to the Green Mountain Care Board survey mentioned above, one provider reported that annual costs for fulfilling requests totaled $273,000, 93% of which was devoted to paying full-time healthcare IT professionals. This total doesn’t include service fees for its third-party ROI vendor. Another provider estimated its total annual ROI costs at $242,000 with a total revenue at $47,600.

Practically, for every $1 billed to the Requester, medical facilities have processing expenses of $5. This cost cannot be transferred to the Requestor given the regulations controlling ROI billing. So, medical facilities end up amassing expenses that are strictly tied to ROI processing.

Failing to comply is not an option. HHS is strict about ROI processing. Their website is a testament to the serious dedication to enforce compliance by medical facilities. The HHS compliance enforcement agreements page shows just how expensive it is to not comply with how facilities handle the ROI issue:

  • 2018: $28 million in settlement fees, with the highest-ever 16 million settlement, a three-fold increase from the previous 5.5 million settlement back in 2016
  • 2019: $13.3 million in settlement fees spread across 12 settlement cases
  • 2020: $13.5 million in settlement fees by November 20th, spread across 13 settlements

It seems that medical facilities are under pressure from all sides. Requestors, using the legal framework, have the right to get their medical files. But, the legal framework is very strict about timeframe and costs transferred to the Requestor. Medical facilities then are faced with a race against time to find all the information, filter out any information not privy to the Requestor, send the response on time and under-budget.

The only solution for this problem is automation via technology.

Sharecare: Technology Solution for ROI Processing

Who here hasn’t heard of Dr. Oz? Anyone with a TV at home probably knows him, and at least some of us have seen his shows more than once.

Other than being a TV celebrity, Dr. Oz is actually one of the people behind Sharecare, “the leading digital health company that helps people manage their health in one place.” More specifically, Sharecare Health Data Services (HDS) is a provider of secure electronic exchange, delivery and integration of protected health information (PHI). Among other things, Sharecare HDS is a medical release of information (ROI) provider.

As a platform, Sharecare is patient-centric. This means it’s built with ease of use in mind, so just about anyone with a computer and an internet connection can use their platform to submit an ROI. This approach enables Sharecare to boast 99.999% quality delivery. This client-centered platform helps healthcare providers and their patients with quick and easy ROI processing, effectively eliminating almost all risk and drastically reducing the cost of ROI processing. As a SaaS platform, Sharecare HDS handles all the data using a secure AWS cloud infrastructure, which means eliminating most of the cost organizations face under a hybrid data management deployment.

With eliminating human errors with data breaches, Sharecare’s system helps organizations minimize legal fines. As Sharecare claims, “We have specific Cash Flow Cycle improvement processes built around safely releasing medical records where claims have been denied which drive reduced reimbursement times.”

ArkCase: Technology Provider Behind the Sharecare Solution

why Sharecare opted for using ArkCase.

ArkCase is an open-source, industry-agnostic case management system built to scale as needs grow. With built-in case workflows and workflow builders, ArkCase can adapt to any data-driven process with multiple points of data entry, multiple access levels, and the entire process is auditable from start to finish.

This is why Sharecare opted for using ArkCase. In one product, Sharecare gets all the functionality needed to enable end-users’ key features like:

  • Personalized dashboard
  • Reporting and analytics
  • Automated queue-based workflows with integrated business rules
  • Integration with Microsoft Dynamics CRM
  • People and organization Management
  • Document management with annotation and redaction
  • Electronic delivery with MFA
  • Collaboration with role-based access control
  • Fax integration with document OCR
  • Indexing and metadata extraction
  • Document categorization
  • Full auditability of workflows
  • Encryption of information throughout the process
  • Automated updates/notifications of requestors, case managers, auditors.
  • Integration with billing system


Medical Release of Information can be a serious drain on resources for healthcare organizations. It has been a significant liability for healthcare organizations that violate the rules. Over the past few years HHS reports increased settlement fees that organizations have to pay to people who think their rights have been ignored.

Since the cost of processing ROI requests is costing up to five times more than what organizations can bill the end-users, this problem can only be solved with technology automation. More specifically, an open case management system that uses workflow automation and advanced document management capabilities.

Sharecare HDS, one of the largest ROI service providers is a leading solutions provider for healthcare organizations. Sharecare HDS has partnered with Armedia, a veteran-owed small business, to modernize and automate their ROI processes using ArkCase, an open-source case management system. For healthcare organizations looking to automate their ROI processing, look no further that Sharecare HDS to leverage their solution built on ArkCase.

Armedia, a veteran-owned small business that is CMMI Level 3 and ISO 9001 certified, is a platform-agnostic solutions integrator that has partnered with organizations since 2002 to automate their business processes using COTS and open source technologies. As an AWS Technology and Public Sector partner, Armedia provides the DevSecOps to automate your business processes as well as the configuration management and deployment.

For more information, don’t hesitate to contact us.


Need a bit more info on how Armedia can help you?

Feel free to schedule a 30-minute no-obligations meeting.


Submit a Comment

Your email address will not be published. Required fields are marked *