Autumn 2025 Issue

Release of Information: Building Quality Control
By Joe Licata
For The Record
Vol. 37 No. 3 P. 32

Release of information plays a deceptively quiet role in health care. You could say it operates in the shadows of EHRs, impacting revenue cycles from behind the scenes. But when fulfilling a medical record request goes wrong, the consequences are anything but quiet.

Getting release of information right is nonnegotiable, and accuracy is your best line of defense if you want to avoid penalties, patient dissatisfaction, or even reputational damage. If you’re not prioritizing quality at every step of your release of information process, that needs to change now.

Quality Control Matters
One thing all HIM professionals can agree on is this: The potential for error when releasing medical records is huge—and so are the consequences of noncompliance.

Compliance standards set by HIPAA and other regulations directly inform release of information requirements. Some of these standards establish firm deadlines (30 days is common but not the limit in all scenarios) and identify the clinical data that must be included or excluded from a record request (note: information blocking and 42 CFR Part 2, respectively).

The right quality control process is what stands between a smooth, compliant medical record release and a costly mistake, and the risks of skimping on quality control are high.

Quality Control Principles
The following four principles provide the structure HIM teams need to execute release of information operations with precision and efficiency:

• Accuracy: Every record request must match the right patient, the right date(s) of service, and include all relevant clinical data.

• Timeliness: Requests must be delivered by the shortest applicable deadline set by HIPAA or state law to avoid delays that could impact patient care or legal proceedings.

• Consistency: Processes must be standardized across all locations, staff, and systems to reduce variability and ensure uniformity.

• Accountability: Monitoring request status and the release of information process keeps requestors informed as they wait to receive their records.

Best Practices
Most HIM teams have their own processes for quality control, but the key to success with any workflow is that it has to follow a well-documented structure. Let’s break down some key features that should be considered for any quality control process.

Standardizing and Documenting Processes
The first step to establishing a rock-solid release of information process is to ensure that everyone on the team is following the same plan, especially across larger enterprises. And what is the best way to streamline organizationwide workflows? Document, document, document!

Standard operating procedures (SOPs) documentation should include checklists for verifying requestor identity, matching patient demographics, handling different request types, and flagging missing authorizations. You can take this even further by including decision trees for complex scenarios that your team might run into more often than you realize, such as the following:

• handling record requests for minors;
• third-party or attorney requests; and
• the status of complex behavioral health requests.

Multitiered Review Process
It isn’t enough to simply pull the data from a medical record; once a request has been through its initial process, it’s time for a comprehensive review. Every request, regardless of how small or simple it may be, should go through multiple rounds of quality control to ensure the right data has been pulled for the right patient.

Any well-rounded release of information process will incorporate a multilayered system for quality control. This could look like one team member preparing the record package, while another independently reviews it before release. A request may then be analyzed using machine learning or another type of technology to identify any possible human errors. Sensitive, high-priority requests should generally undergo an additional layer of review by a senior specialist or legal counsel.

Quality Control Technology
Human oversight is essential for release of information processes, but technology can support HIM teams as an extra layer of protection against inaccuracies or human errors. Machine learning and AI can evaluate patient records to make sure all data lines up, while interactive dashboards can provide insights into request statuses.

Training, Training, Training
It might sound simple, but making sure your staff is trained in all aspects of HIPAA and release of information regulations is a great place to start. Many HIM professionals receive training when they first start their career, but keeping this knowledge up to date with semiannual reviews is just as important as their initial onboarding.

All HIM training should include HIPAA fundamentals and how to engage with real-world scenarios to build critical thinking skills and practical problem-solving.

Internal Audits and Metrics
If you’re not going back and updating (or at least reevaluating) your processes at a regular cadence, now is the time to go back and review those SOPs! Conducting regular internal audits plays a key role in identifying common patterns and mitigating errors. Some data you can pull to gauge the effectiveness of your current release of information process can be the following:

• error rate (rereleases or corrections);
• turnaround time by request type;
• percentage of requests escalated due to ambiguity or errors; and
• patient satisfaction scores.

Maintaining a Continuous Feedback Loop
An effective quality control process shouldn’t just catch errors; it should also learn from them. Every quality issue your team notices should be documented, analyzed for trends, and drive corrective action. Having a continuous feedback loop allows your process to change and evolve as you have more inputs and real-world examples.

Critical Quality Control
Every release of information request must be accurate and adhere to compliance standards, but there are some scenarios where deadlines or legal complexities call for an extra level of attention and detail.

Behavioral health and substance use records require stricter confidentiality protections under federal and state laws than general medical records. In general, this means that a purpose-specific authorization is required, along with a careful evaluation to ensure that sensitive information isn’t disclosed without proper consent. The Reproductive Health Final Rule, which went into effect in late 2024, also requires a separate attestation for certain request types to ensure that health care records are not being requested for a prohibited purpose under the Final Rule.

Requests involving minors, legal guardians, or other third parties also introduce a layer of legal complexity that makes quality control vital. Determining who has the legal right to access a minor’s records can vary by state, age, and by the type of care received (such as reproductive health or behavioral health services). Mistakenly disclosing a record to an unauthorized party can compromise patient privacy and expose organizations to liability.

Final Thoughts
It’s no secret that release of information is complex. With so many moving parts between legal requirements, authorizations, and an ever-increasing trend toward interoperability, everyone in HIM walks the tightrope between protecting patient data and making sure the right people can access health information when it’s needed.

Even if quality control was already on your radar, HIM teams can still find themselves getting stuck or not knowing where to even begin. Following these strategies and keeping your quality control process fluid and evolving can solve a lot of problems—or prevent problems altogether.

As we all work together to improve quality control in our own processes, it helps to come back to the heart of release of information: getting the right records to the right patient, when they need them.

— Joe Licata is the chief operating officer and general counsel for HealthMark Group. He is an active member of the Alliance for Health Information Operations and Standards, the Association of Corporate Counsel, and the Texas Bar Association, Health Law Section.