By Linda Kloss

Release of Information (ROI) functions as a gatekeeper for access and disclosure of confidential  health information. ROI advances patient rights, enforces organizational policy, and complies with federal and state law. The gatekeeper role is more complex today because:

  • Health delivery and information systems are more complex 
  • Request volumes are greater from patients and a range of requestors
  • Regulatory ground rules were largely designed for a paper-based health system, and
  • Privacy and security are being deliberately and inadvertently put at risk. 

The first three factors above contribute to privacy and security risks.  In our recent webinar, Mike Salsbury, JD Verisma’s Counsel and Privacy Officer and Jim Staley, CISPP, Verisma’s Chief Information Security Officer and Chief Compliance Officer discussed trends giving rise to privacy and security risk and important ways to harden systems to reduce risks.[1] 

By design concepts

Their overarching premise is that the best way to mitigate risk is to avoid It in the first place. Contemporary by design approaches means that privacy and security are engineered in to technology, workflows and process, rather than being added after the fact.[2] Examples of Foundational principles include:

  • Proactive not reactive; preventive not remedial
  • Privacy and security are embedded into design
  • Privacy as the default
  • End-to-end security

It is not likely that there can be perfect design to avoid all risk, but Salsbury and Staley urged a by design anticipatory mindset. They emphasized the importance of up to date privacy and security risk assessments. 

Privacy by design

Against the background of the industry’s response to COVID-19, Mike Salsbury reviewed the ways in which ROI has been impacted in 2020 and the implications for safeguarding privacy.  He described characteristics of recent enforcement actions relating to non-compliance with Federal patient access regulations. 

In addition to having an up to date privacy risk Assessment, Salsbury urges covered entities to:

  • Ensure Business Associate Agreements (BAAs) are up to date
  • Review staff onboarding/departure procedures
  • Ensure up to date personnel training
  • Carefully track ROI request intake to make certain required timeframes are met
  • Review protocols and security for electronic transfer of PHI
  • Review procedures for handling unauthorized disclosures (UADs)

Security by design

Jim Staley noted attempted cyber intrusions during the first half of 2020 exceeded the total for all of 2019. Healthcare organizations and their technology companies are a frequent target for intrusion attacks and health information is a high value cybertheft target. 

Staley emphasized the importance of working with vendors who can demonstrate adherence to stringent security protocols and have earned security certifications. He urged attention to fundamental practices of encryption for sensitive data at rest and in motion.  He urged use of multi-factor authentication in applications we use in our work and as part of our personal digital practices. Staley urged updated security risk assessment and referenced the new tool  from OCR and ONC.[3]

ROI by design

ROI is a set of processes or workflows, guided by regulations, and explicit polices. It is comprised of the following four subprocesses in which risks can be identified and mitigated through smart technology, workflow design, training, and accountability:

  • Request – request routes, authorizations, identity verification
  • Retrieve – data sources,  minimum necessary, quality checks
  • Release – media-specific safe practices, compliant business operations
  • Retain – accounting for disclosures, audits, process improvement 

Verisma’s ROI technologies guide and prompt requestors and ROI staff to do the right things — and they create a record of that work. This is what by design is all about. It is also about taking steps to standardize ROI across the health care enterprise. ROI may be done in house, outsourced, or a combination, smart technology, workflow design, training, and accountability are keys to by design ROI.

We are in the third decade of the 21st century with privacy eroding and security under attack. It’s time to step up proactive vigilance so ROI remains an effective gatekeeper for access and disclosure of confidential health information. 


[1] An archive of the webinar Privacy and Security by Design: A New Imperative is available upon request from

[2] Cavoukian, Ann.  Privacy by Design: The 7 Foundational Principles, Information & Privacy Commissioner, Ontario, Canada. January 2011.

[3] US Department of Health and Human Services,  Security Risk Assessment Tool, v 3.2, User Guide.