In 2023, OCR settled with a New England dermatology practice for $300,640 after the organization failed to provide a patient timely access to their medical records — a core component of the release of information HIPAA framework that too many covered entities treat as optional. The patient had made repeated requests spanning months. OCR investigated and found systemic failures in how the practice handled information release obligations.

This is not an isolated case. Since the HHS Right of Access Initiative launched in 2019, OCR has resolved over 45 cases involving failures to release protected health information to patients on time. If your organization handles PHI — and every covered entity does — your release of information processes need to be airtight.

What Release of Information HIPAA Rules Actually Require

The Privacy Rule at 45 CFR § 164.524 establishes a patient's right to access and obtain a copy of their protected health information maintained in a designated record set. This includes medical records, billing records, insurance enrollment data, and other records used to make decisions about individuals.

When a patient submits a valid request, your covered entity must act on it within 30 calendar days. A single 30-day extension is permitted only if you provide the individual with a written explanation for the delay and a date by which you will complete the request. There is no second extension.

Your organization must provide the records in the format the patient requests, if readily producible. That means if a patient asks for electronic copies and your EHR system can generate them, you cannot force a paper release. OCR has been explicit about this in enforcement guidance published alongside the Right of Access Initiative.

Authorization vs. Permitted Disclosures: A Critical Distinction

Not every release of information requires a signed patient authorization. The Privacy Rule at 45 CFR § 164.502 permits disclosures without authorization for treatment, payment, and healthcare operations (TPO). It also permits disclosures required by law, for public health activities, and in certain other limited circumstances outlined in § 164.512.

However, any disclosure that falls outside these categories — such as releasing records to a patient's employer for non-workers' comp purposes, to a life insurance company, or for marketing — requires a valid written authorization that meets every element specified in 45 CFR § 164.508. A compliant authorization must include:

  • A specific description of the PHI to be disclosed
  • The person or entity authorized to make the disclosure
  • The person or entity to whom the disclosure will be made
  • The purpose of the disclosure
  • An expiration date or event
  • The individual's signature and date
  • Notice of the right to revoke the authorization

Using a generic, catch-all authorization form is a compliance risk. OCR expects specificity. If your authorization forms have not been reviewed recently, that is a gap you should close now.

The Minimum Necessary Standard in Every Release Decision

One of the most frequently violated aspects of release of information HIPAA compliance is the minimum necessary standard under 45 CFR § 164.502(b). When your workforce discloses PHI, they must limit the information released to the minimum amount necessary to accomplish the purpose of the disclosure.

This standard applies to disclosures for payment, healthcare operations, and most other permitted purposes — but it does not apply to disclosures for treatment or disclosures made directly to the individual. Healthcare organizations consistently struggle with operationalizing this requirement, particularly in health information management departments processing high volumes of third-party requests.

Your policies must define who in the workforce has authority to make release decisions and what categories of PHI are appropriate for routine, recurring disclosures. Without these role-based access controls documented, you are exposing your organization to a potential HIPAA violation in every release.

Business Associate Obligations When Outsourcing ROI

Many covered entities outsource release of information functions to third-party vendors. If your organization does this, that vendor is a business associate and must be operating under a compliant business associate agreement (BAA) per 45 CFR § 164.502(e).

The BAA must specify how the business associate will handle PHI, what safeguards are in place, and how breaches will be reported. Under the Omnibus Rule, business associates are directly liable for compliance with applicable Security Rule and Privacy Rule provisions. If your ROI vendor mishandles a disclosure, your organization shares in the accountability.

Audit your ROI vendor's practices at least annually. Request evidence of their workforce training, breach notification procedures, and technical safeguards. A BAA alone does not insulate you from OCR enforcement.

Fees That Comply With Federal Guidance

Your organization can charge a reasonable, cost-based fee for providing copies of PHI to patients, but the fee structure is tightly regulated. OCR's 2016 guidance clarified that covered entities may charge only for the cost of labor for copying, supplies, and postage. You cannot charge retrieval fees or search fees for patient-directed requests.

Alternatively, covered entities may use a flat fee of no more than $6.50 per patient request for electronic copies, as outlined in OCR's fee schedule guidance. Overcharging patients for record access has been a basis for OCR complaints and corrective actions.

Workforce Training Gaps That Lead to ROI Failures

Every release of information HIPAA failure I have seen traces back to a workforce training deficiency. Front desk staff who do not understand authorization requirements. HIM employees unfamiliar with the minimum necessary standard. Managers who think a 90-day response timeline is acceptable.

The Privacy Rule at 45 CFR § 164.530(b) requires that covered entities train all workforce members on policies and procedures related to PHI — and that includes ROI workflows. Training must happen at onboarding and whenever material changes occur. Enrolling your team in a structured HIPAA training and certification program ensures they understand both the legal framework and the practical steps for compliant disclosures.

If your organization has not refreshed its release of information training in the past 12 months, the risk is compounding. OCR investigators routinely request training records during audits and complaint investigations.

Build a Compliant ROI Process Before OCR Comes Knocking

Start with a thorough risk analysis of your current release of information workflows. Map every point where PHI leaves your organization — patient requests, attorney subpoenas, insurance company inquiries, business associate transfers. Identify which disclosures require authorization and which fall under permitted uses.

Then verify your Notice of Privacy Practices accurately describes patients' right to access their records and your fee structure. Update your authorization forms to meet every element required under § 164.508. Document your minimum necessary policies with specificity.

Finally, invest in ongoing compliance infrastructure. HIPAA Certify's workforce compliance platform gives organizations the tools to train, track, and verify that every team member handling release of information HIPAA obligations is equipped to do so correctly — before a complaint triggers an OCR review.

The regulatory expectations are clear. The enforcement trends are accelerating. Your organization's release of information practices either meet the standard or they don't. Now is the time to verify which side of that line you are on.