Release of information (ROI) in healthcare is the process of sharing a patient’s medical records with authorized individuals or organizations. It covers everything from sending your records to a new doctor, to fulfilling a request from an insurance company, to handing you a copy of your own chart. Every time protected health information leaves a healthcare facility, specific federal and state rules govern who can see it, how it gets shared, and what safeguards must be in place.
How ROI Works in Practice
Most hospitals and clinics have a Health Information Management (HIM) department that handles record requests. When a request comes in, staff verify that it includes proper authorization, identify the specific records being asked for, pull those records from the electronic health record system, review them for accuracy and completeness, and then deliver them in the format requested. Many facilities now let patients generate copies of their own records directly through online portals, which has reduced wait times and shifted some of the workload away from HIM staff.
Requests can arrive by mail, fax, online form, or in person. Facilities use tracking systems to log each request, monitor deadlines, and document exactly what was sent and to whom. This paper trail matters because mishandling a release can result in federal penalties.
The Federal Rules That Govern It
The HIPAA Privacy Rule is the primary federal law controlling how health information gets shared. It applies to “covered entities,” which includes most hospitals, clinics, health plans, and healthcare clearinghouses, along with their business associates. Under HIPAA, a provider cannot use or disclose your protected health information (PHI) unless the Privacy Rule specifically permits it or you authorize the release in writing.
There is one major exception to the written authorization requirement: providers can share your information for treatment, payment, or healthcare operations (often called TPO) without asking you to sign anything. That means your primary care doctor can send your lab results to a specialist for a referral, your hospital can submit claims to your insurer, and your clinic can use your records for internal quality reviews, all without a separate authorization form from you.
For anything outside those categories, a signed authorization is required. If an attorney wants your records, if a life insurance company requests your medical history, or if a researcher wants to use your data in a way that isn’t covered by other HIPAA provisions, someone needs your written permission first.
What a Valid Authorization Must Include
HIPAA sets specific requirements for an authorization form to be legally valid. It must be written in plain language and include:
- A description of the information being disclosed or used
- The identity of the person or entity disclosing the information
- The identity of the recipient who will receive it
- An expiration date or event that relates to you or the purpose of the disclosure
- A statement of your right to revoke the authorization in writing
The form does not need to be notarized or witnessed. You can revoke an authorization at any time by putting it in writing, though the revocation only applies going forward. It can’t undo a disclosure that already happened while the authorization was still active.
Your Right to Your Own Records
Under HIPAA, you have a legal right to access nearly all of your own health information. When you submit a request, the provider must respond within 30 calendar days. If records are archived offsite or otherwise hard to retrieve, the provider can extend that deadline by an additional 30 days, but must notify you in writing of the delay and the new expected date. Only one extension is allowed per request.
If a provider denies your request in whole or in part, they must also put that denial in writing within the same 30-day window (or 60 days if they claimed an extension).
The 21st Century Cures Act added another layer of protection. It requires healthcare organizations to give patients electronic access to all of their electronic health information, both structured data (like lab values and medication lists) and unstructured data (like clinical notes), at no cost. The law also targets “information blocking,” meaning providers and health IT companies cannot unreasonably prevent or interfere with your ability to access, exchange, or use your health data.
Fees for Record Copies
When you request copies of your own records, HIPAA limits what a provider can charge. Facilities that don’t want to calculate their actual per-page costs can charge a flat fee of up to $6.50 for electronic copies of records maintained electronically. That $6.50 figure is not a universal cap on all record fees. Providers are allowed to calculate actual or average costs instead and may charge accordingly, as long as they stay within the boundaries the Privacy Rule sets. The Cures Act’s no-cost provision applies specifically to electronic access through portals and apps, so there can still be reasonable fees for printed or mailed copies.
Records That Get Extra Protection
Some types of health information carry stricter rules than standard HIPAA requirements. Substance use disorder (SUD) treatment records are governed by a separate federal regulation known as 42 CFR Part 2. These records cannot be used in legal proceedings against a patient without that patient’s specific written consent or a court order, a standard that goes beyond what HIPAA requires. Even the broad treatment-payment-operations exception doesn’t automatically apply to SUD counseling notes. A clinician’s notes from a substance use counseling session, if kept separately from the main medical record, require their own specific consent before they can be shared.
Consent to release SUD records for use in civil, criminal, administrative, or legislative proceedings must be on a separate form. It cannot be bundled with consent for other types of disclosure. This is designed to prevent patients from unknowingly authorizing the use of their treatment records against them.
Psychotherapy notes (a therapist’s private session notes kept separate from the clinical chart) receive similar heightened protection under HIPAA and also require specific authorization before release.
When State Law Applies Instead
HIPAA sets a federal floor for privacy protections, but state laws can go further. When a state law provides greater privacy protections or stronger privacy rights than HIPAA, the state law takes precedence. This is why the rules for releasing mental health records, HIV test results, genetic information, or minor patients’ records can vary significantly depending on where you live. A provider in California, for example, may face stricter requirements than what HIPAA alone demands. Healthcare facilities must follow whichever rule, state or federal, gives the patient more protection.
Third-Party Requests vs. Patient Requests
The process looks different depending on who is asking for the records. When you request your own information, it falls under HIPAA’s right of access rules, with the 30-day timeline and fee limitations described above. When a third party requests your records, such as an attorney, an insurance company, or another organization, the facility needs a valid signed authorization from you (or a legal exception like a court order) before releasing anything. Fees for third-party requests are often higher because HIPAA’s right-of-access fee limits apply specifically to individuals requesting their own records, not to outside parties.
Facilities also handle these requests differently on the back end. Third-party requests typically go through a more detailed review process to verify that the authorization is valid, that the scope of the request matches what was authorized, and that no specially protected records (like substance use or psychotherapy notes) are included without appropriate consent.