Release of Information software, built for small medical practices
Release of Information (ROI) software helps a medical practice track every patient-records request through intake, authorization, fulfillment, and delivery — to the same 30-day HIPAA deadline that auditors enforce. RCMTask is the only ROI tool built for small and mid-sized practices: transparent pricing ($250 to activate, no per-request fees), every request modeled as an assignable task with an owner and a due date, and a complete audit trail you can hand to an OCR investigator.
HIPAA compliant · AES-256 encrypted · Full audit trail · BAA on every paid tier
What is Release of Information (ROI) software?
Release of Information software (often abbreviated "ROI software") is the system a medical practice or hospital uses to receive, validate, process, and deliver requests for protected health information (PHI). Requests come from patients, attorneys, payers, life-insurance carriers, disability programs, and other healthcare providers. The software has three jobs: prove every release was authorized, deliver on time, and produce an audit trail that satisfies HIPAA and state law.
Who requests medical records — and why it matters
Most practices think of ROI as "patients asking for their records." That is one source. In practice the volume comes from elsewhere: payer audits, attorney requests, disability and Social Security claims, life-insurance underwriting, continuity-of-care exchange between providers, and subpoenas. Payer requests alone grew 36% between 2021 and 2022 and have stayed at year-round high volume — the predictable seasonal spikes are gone.
Why this is a compliance problem, not just an admin problem
Under HIPAA, a practice has 30 calendar days to fulfill an individual's right-of-access request, with one 30-day extension allowed if you give written notice. Miss the deadline and you are exposed to HHS Office for Civil Rights enforcement — the most common penalty type in OCR's "Right of Access Initiative." State laws may shorten the window further. And under the 21st Century Cures Act, practices that drag their feet face information-blocking risk separate from HIPAA.
Why small practices struggle with Release of Information.
Every ROI vendor on the market is built for HIM (Health Information Management) directors at hospitals and health systems. If you are a 5-person family practice, none of them fit your team, your budget, or your buying process. So the work falls back on fax, spreadsheets, and whoever sits closest to the records cabinet.
Fax is still the default
About 89% of medical practices still run a fax machine. Inbound requests arrive on fax, sit in a paper tray, and never enter any tracking system. The "queue" is whoever happens to walk past.
No deadline visibility
The 30-day HIPAA clock starts the day the request lands. Nobody on a fax-and-spreadsheet workflow can answer "which requests are at day 25?" in under a minute — which is exactly the kind of question an OCR investigator opens with.
No proof of authorization
When a payer or attorney disputes a release — or when OCR audits — you need to show that the authorization was valid, that the right records went to the right person, and that the timing was documented. Loose papers do not survive that scrutiny.
Each request becomes a tracked task.
RCMTask models a release-of-information request the same way it models every other piece of back-office work — as an assignable task with an owner, a deadline, a status, and a complete activity trail. That sounds modest. It is exactly what is missing in 90% of practices.
Intake
Log each request — requester, scope, due date, authorization — by hand or imported from your existing channels (fax inbox, portal, email). The 30-day HIPAA clock is set automatically.
Assign & approve
Route the request through a custodian (the staff member who pulls the records) and an approver (typically the privacy officer or a designated supervisor). Each handoff is a tracked status change.
Release & log
Deliver the records through your existing secure channel. RCMTask captures who released, what was released, when, and to whom — with a tamper-evident audit trail.
How to actually meet the 30-day HIPAA deadline.
A four-step routine that any practice — solo, group, billing-company — can adopt this week. RCMTask automates the parts that depend on visibility and reminders; the rest is process discipline.
Day 0 — intake within 4 hours
Every inbound channel (fax, portal, email, in-person) is checked at least twice a day. New requests are logged in RCMTask with the requester, the scope of records requested, and the deadline. The clock starts on the date received, not the date entered — backdate accurately.
Day 1–3 — authorization check + assignment
Confirm the authorization is valid: signed, within its expiration window, properly scoped, and from a party with standing. If anything is missing, the task is moved to a "needs cure" status and the requester is contacted — without resetting the HIPAA clock. Once the authorization is valid, assign to a custodian.
Day 4–14 — fulfill
The custodian pulls the records, verifies completeness against the request scope, and uploads them for approver review. RCMTask shows progress on the dashboard so a supervisor knows on day 10 if anything is at risk.
Day 15–28 — approve + release
The approver confirms the scope is correct (no over-release of unrelated PHI) and the delivery method is authorized. Release occurs through your secure channel and the task is closed with a timestamped delivery confirmation.
Day 29–30 — extension or proof of release
If the release happens on time, the task carries a complete record of every handoff. If you need the 30-day HIPAA extension, RCMTask emits the written-notice requirement automatically and resets the deadline for tracking.
RCMTask vs the enterprise ROI vendors vs DIY.
Most ROI articles compare three or four enterprise vendors with each other. The real choice for a small practice is between an enterprise tool you can't afford to operate, a spreadsheet that won't survive an audit, and RCMTask.
| RCMTask | Enterprise ROI (MRO / HealthMark / ChartRequest) | Spreadsheet + fax | |
|---|---|---|---|
| Pricing visible | Yes: $250 Activation | "Contact sales" | $0 |
| Built for small practices | ✔ | Designed for hospital HIM departments | — |
| Each request is an assignable task | ✔ | Workflows, not tasks | — |
| 30-day deadline visibility | ✔ | ✔ | Manual |
| Audit trail | ✔ | ✔ | Loose paper |
| BAA included | Yes (paid tiers) | Yes (after sales call) | — |
| Per-request fees | — | Common | — |
| Setup time | Same day | Weeks–months | — |
| Survives an OCR audit | ✔ | ✔ | ? |
ROI software vs. your EHR vs. an outsourced ROI service.
ROI software vs your EHR's release module
Most EHRs have a "release of information" feature, but it is designed to push records out — not to manage the full intake-to-delivery lifecycle. EHRs do not track the 30-day deadline as a workflow object, do not route requests through a custodian/approver path, and do not produce an audit trail organized around individual requests. RCMTask sits on top of your EHR: pull the records there, track the request here.
ROI software vs hiring an outsourced ROI service
Outsourced ROI services (some of the vendors listed above offer them) charge per request, typically $1.50–$3.00 per page once you go past free-of-charge thresholds. For a 5-person family practice handling 30 requests a month, that is meaningful money — and you still need to authorize each release, which means the bottleneck has just moved from your fax tray to an inbox the vendor cannot see. RCMTask is appropriate when you want the workflow controlled in-house with the cost ceiling controlled by a flat Activation fee.
What changes for your practice.
- Zero requests aging past the HIPAA 30-day deadline
- Lower compliance risk under the OCR Right-of-Access Initiative
- Clear ownership of every active request
- A complete audit trail per request — exportable to PDF
- Lower per-request cost than an outsourced ROI service
- Visibility for the privacy officer without sitting at the fax
Built for the practice, not for an HIM department.
HIPAA-grade
AES-256 encryption, US-only hosting, BAA on every paid tier, complete audit trail.
Deadline-driven
The 30-day HIPAA clock is built into the data model — not an afterthought.
Defensible trail
Every approval, every release, every handoff is timestamped with the actor and the action.
Layer on top
Works alongside your existing EHR and PMS — no migration, no second login for clinical staff.
Multi-location ready
Role / location / department permissions let a billing company or multi-site group run ROI across tenants from one dashboard.
Task-shaped
Every request is an owned, tracked, due-dated task — the same shape as eligibility, prior auth, denials, and training.
Common questions about Release of Information
What is the difference between "medical records release" and "Release of Information"?
They are the same thing. "Medical records release" is the term patients use; "Release of Information" (ROI) is what HIM (Health Information Management) professionals call it. Most software in this space uses "ROI."
How long does a practice have to fulfill a medical records request?
Under HIPAA, a covered entity has 30 calendar days from the date of the request, with one 30-day extension available if written notice is provided. State laws may be stricter; for example, several states require fulfillment in 15 days for psychiatric records.
What does ROI software actually do?
ROI software centralizes the intake, authorization check, fulfillment routing, delivery, and audit trail for every medical-records request. It does not replace your EHR (you still pull the actual chart there). It replaces the spreadsheet or fax tray that tracks which request is at what status, due when, owned by whom.
Is RCMTask HIPAA compliant for handling Release of Information?
Yes. RCMTask is HIPAA-compliant, AES-256 encrypted at rest, TLS in transit, US-only hosting, with a Business Associate Agreement available on every paid tier. Every release action is captured in a tamper-evident audit trail and retained per HIPAA-mandated record-retention guidance.
Does RCMTask charge per request?
No. A one-time $250 Activation fee covers unlimited Release-of-Information requests on the platform. Outsourced ROI services typically charge $1.50–$3 per page once free-of-charge thresholds are exceeded; RCMTask is a flat fee. Confirm current pricing in-app before purchase.
How does it work alongside our EHR?
You continue to pull the chart in your EHR. RCMTask is the workflow layer on top — it tracks the request, the deadline, the approval, and the release event. We do not require any EHR integration in v1; data flows via manual entry or Excel/CSV. HL7/FHIR integration is on the roadmap.
Can we charge patients for copies?
HIPAA limits what you can charge an individual for their own records to a reasonable, cost-based fee. State law may further restrict charges. RCMTask tracks the fee per request but does not process payments; integrate your existing payment processor. We do not advise on what to charge — talk to your privacy officer or legal counsel.
What does a typical OCR Right-of-Access audit look like?
Most enforcement comes from patient complaints — a patient asks for their record, does not get it, and complains to OCR. OCR typically asks for: a list of requests in the prior 12 months, the response timeline for each, copies of denials with reasons, and the practice's ROI policy. A complete audit trail in RCMTask answers all four in one export.
Do you support attorney and payer requests, not just patient requests?
Yes. The data model treats requester type as a category — patient, attorney, payer, life-insurance carrier, disability, subpoena, continuity-of-care — with the right authorization rules and clock-start logic for each. Reporting can be sliced by requester type.
How fast can a small practice go live?
Same day. Start free with the Sandbox to walk through the workflow with demo data; activate ($250) and start logging real requests in under an hour. No integration is required to begin.
Compliance work that pairs with records release.
HIPAA compliance →
Policies, BAA, and risk analysis — applied on your practice's behalf and stored in the compliance binder.
HIPAA training →
Assign annual training, track completion, and store certificates — $1 per test through August 31, 2026.
Security & trust →
Encryption, audit trail, MFA, and subprocessors — what procurement teams ask for.
Free ROI tracker template →
A free spreadsheet to track records-release requests against the HIPAA 30-day deadline. Use it now, graduate to RCMTask when you outgrow it.
Release records on time, every time.
Start free with demo data and try a full request workflow in 10 minutes. Activate when you're ready.