Protecting Patient Privacy Through Responsible Access to Health Information

Healthcare is undergoing a historic digital transformation. Advances in interoperability, data sharing, and health information exchange have the potential to improve care coordination, reduce administrative burden, and empower patients with greater access to their health information.

As healthcare becomes increasingly connected, progress depends on a critical safeguard: a patient’s record should reach only the requester authorized to receive it, through a pathway that ensures accuracy and privacy. 

The Release of Information (ROI) industry operationalizes that critical safeguard across the healthcare ecosystem. Every year, ROI professionals process millions of requests for medical records on behalf of hospitals, health systems, and physician practices. Their role extends far beyond simply producing medical records. They serve as an important line of defense to protect patient privacy, enable compliance, and validate that sensitive health information is released appropriately. Datavant alone fulfills roughly 50M requests annually.

Before a record goes out, ROI professionals verify the requester’s identity and legal authority, review the authorization (where available), confirm the applicable federal and state requirements for disclosure, and determine the scope of what may be released. Record requesters include patients, attorneys, insurance carriers, government agencies, disability administrators, employers, life insurers, and more. A patient retrieving their own chart, an attorney with a signed authorization, a payer coordinating care, and a commercial data broker all require a different evaluation. 

Failing to appropriately vet every requester can lead to sensitive records ending up in the wrong hands under cover of a legitimate-sounding purpose. In our experience, many types of record requests require careful review to support compliance with HIPAA, state privacy laws, court orders, and patient expectations. 

The stakes for this work are high. Compliant ROI is increasingly important as healthcare organizations face growing cybersecurity threats, identity fraud, and bad actors who are commercially motivated to harvest patient data through improper means.

Recent developments in the healthcare data interoperability landscape have highlighted the importance of maintaining strong safeguards around access to medical records. In the ongoing Epic v. Health Gorilla litigation, the company GuardDog acknowledged in court filings that its business model involved requesting, reviewing, and summarizing medical records and providing those summaries to law firms, while asserting a “treatment” purpose to access records through a national interoperability network. Regardless of the outcome of the litigation, the case underscores a broader point: healthcare organizations must have confidence that entities accessing sensitive medical information are doing so under appropriate legal authority and with proper oversight.

Tested ROI workflows help instill confidence in a process that is rarely straightforward. For example, releasing a minor’s record is often one of the hardest calls for a ROI professional. When a parent requests their teenager’s chart, the custodian cannot simply grant or deny it. Most states let minors consent to specific care that can be confidential from the parents, this can include reproductive health, mental health, or substance use services. Adding to the complexity, the legal ground also continues to shift under the industry. 

As healthcare continues to modernize, strong privacy protections remain essential: patients deserve confidence that their most sensitive information is protected, healthcare providers deserve reliable processes for validating requests, and organizations entrusted with health information must continue to maintain rigorous standards governing access and disclosure.

The Release of Information industry plays a vital role in achieving these objectives. By serving as an independent layer of review, verification, and compliance, ROI professionals help ensure that medical records are released securely, accurately, and only to authorized recipients. These safeguards protect patients, support healthcare providers, and strengthen trust throughout the healthcare system.

At Datavant, we remain committed to advancing responsible access to health information while preserving the privacy protections that patients, providers, and healthcare organizations rely upon every day.