The HITECH Act is an excellent tool attorneys can use to obtain medical records at a lower cost. Disability attorneys, workers compensation attorneys and personal injury attorneys spend thousands of dollars each year obtaining the medical records of their clients. Historically, attorneys have used a HIPAA authorization to obtain these records.
HIPAA (the Health Insurance Portability and Accountability Act of 1996) has a Privacy Rule that gives individuals the legal right to obtain copies of their medical records. This Rule requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information about them in one or more “designated record sets” maintained by or for the covered entity. A “designated records set” is defined at 45 C.F.R. 164.501 as a group of records maintained by or for a covered entity.
The Health Information Technology for Economic and Clinical Health Act, known as the “HITECH Act”, provides a new method to obtain medical records at substantial cost savings. Pursuant to 42 USC 17935 (e) (1), if a covered entity maintains electronic health records
“. . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific, . . .”
Obtaining medical records via a HITECH request has three important advantages over using a HIPAA authorization.
1. Simplicity. The HITECH medical request must
(i) be in writing;
(ii) signed by the Client;
(iii) identify the attorney and where to send the records.
Click on HITECH Medical Records Request to see a sample request. The necessary wording of a HITECH medical records request is much simpler than the necessary wording of a HIPAA authorization.
2. Time Deadline. The covered entity must respond to a HITECH medical records request within 30 days after the request is received. See 45 CFR 164.524 (b) (2) (i). The HIPAA authorization does not have a time deadline.
3. Fees. The fees a covered entity can charge to respond to a HITECH medical records request are strictly limited by 45 C.F.R. §164.524 (c) (4). In most cases, the fee cannot exceed $6.50. See HHS FAQ 45 CFR 164.524 at page 15. This fee limitation applies to any vendor hired by the covered entity to respond to the HITECH request. See HHS FAQ 45 CFR 164.524 at page 13. Further, the HITECH Act is a federal law that supercedes all State laws pertaining to the cost of medical records.
Limitations on Hitech Medical Records Request.
A HITECH Medical Records Request has two important limitations attorneys should be aware of. First, it ONLY applies to electronic records. If the health care provider only maintains paper records, the HITECH request does NOT apply. Second, psychotherapy notes are exempt from a HITECH Records Request. See 45 CFR 164.524 (a) (1) (i).
Enforcement of the Hitech Act.
If the HITECH medical records request is denied, I suggest you call the medical records supervisor. My experience has been a phone call is often necessary, and most of the time prompt compliance occurs.
If the call does not resolve the issue, I suggest you send a detailed letter with citations to the relevant authority, with attachments of the relevant authority, with a 10 day deadline for a response. Click on “Response to denial of Hitech request“ for a sample letter.
If that letter does not work, I suggest you file a complaint with the Office of Civil Rights (OCR) in the US Dept of Health & Human Services. See https://www.hhs.gov/ocr/complaints/index.html.
Practice Tips for using HITECH Medical Records Requests.
1. The individual, NOT the health care provider, gets to choose the method for obtaining medical records. See 45 CFR 164.524 (b) (1) and (c) (2).
2. The attorney should NOT send a HIPAA authorization with the HITECH medical records request. The HIPAA authorization might give the covered entity a basis to disregard the HITECH fee limitation.
3. Some vendors such as MRO argue that the fee limitation under the HITECH Act does not apply to requests made by third parties such as law firms. This argument is valid if the attorney requests medical records using a standard Release form.
However, the HITECH form I use is a request from the patient (not the attorney) to the covered entity. Further, 42 U.S.C. §17935 (e) (1) specifically allows the patient to direct the covered entity to transmit records to any person designated by the patient. In a few instances, it has been necessary to mail the HITECH medical records request, with no other documents, to the covered entity in an envelope with the patient’s return address.
Authorities for HITECH. The Federal legal authority for a HITECH Medical Records Request can be read and downloaded by clicking on the documents below.
Federal Register Vol. 78, No. 17, pgs. 5631 – 5637.
Sample Forms. Sample forms can be read and downloaded by clicking on the documents below.
HITECH Medical Records Request.
Response to denial of Hitech Medical Records Request.
If you found this Blog helpful, please do me a favor and post a favorable comment below. Thank you.
This Article was updated by Attorney David R. Paletta on August 1, 2019.
Disability Attorney David R. Paletta
Thank you for providing this information. If a medical office maintains both electronic and paper records, are they required to scan the paper records and provide them along with the electronic records pursuant to HITECH?
Good question. HITECH only applies to electronic records. The HITECH fee limitation does NOT apply to paper records. I specifically direct the health care provider to NOT send me paper records. See the sample Attorney Letter.
However, if I am aware there are paper records that are needed, I will request those paper records knowing that I will have to pay the copying fee for the paper records which is usually set by state statute.
You should also be aware that HITECH does NOT apply to psychiatric records. However, I have been pleasantly surprised that most hospitals provide me with psychiatric records at the lower HITECH rate.
This is gold! Thank you!
The old fashioned way of getting medical records with a HIPPA form is costly and time consuming. I’m thrilled to learn of an alternative means to get records. Thank you.
I agree. And, the more attorneys that use the HITECH option, the more health care providers will come to accept HITECH as the new norm.
How are you successful in receiving records with only the HITECH letter and not a HIPAA authorization? We have many providers who reject our requests stating they require an authorization with the HITECH letter. Have you experienced this and how do you think we can get them to fulfill our requests with only the HITECH request letter? Thank you!
How are you successful in receiving records with only the HITECH letter and not a HIPAA authorization?
I have had mixed success.
We have many providers who reject our requests stating they require an authorization with the HITECH letter.
I have had this experience also usually from the major medical facilities. I do not believe a health care provider can require a patient or his/her attorney to use the facilities’ unique authorization form. However, I go ahead and have my client sign the facilities’ unique authorization form because my goal is to get the records as quickly as possible and at the lowest cost possible. All of these facilities have billed me at the lower Hitech rate of $6.50 per set of records.
Have you experienced this and how do you think we can get them to fulfill our requests with only the HITECH request letter?
The question for each law firm is what battles do you want to fight over? I have chosen not to spend hours arguing with major medical facilities when I can get their unique authorization form signed by my client in a few minutes.
Do the HITECH rules of HIPAA(example fees)pertain to paper medical billing records(not medical records)sent to attorneys offices? Thanks so much.
Individuals have a right to access protected health information in a “designated record set”. Billing records are included in a “designated record set” pursuant to 45 CFR 164.501(1)(i).
However, the Hitech rules only apply when the health care provider maintains the information in an electronic format. Hitech rules do NOT apply to paper records. See 42 U.S.C. §17935 (e) (1).
As a provider can attorneys use The HITECH Act to obtain records to determine if a patient or former patient has an “actionable” case against the former provider?
I ask this because I have found myself receiving quite a number of requests for medical records coming directly from the attorneys with HIPAA Release forms and without a signature by the former patients.
Just curious if this is being used so the attorneys do not have to pay to receive medical records.
Thank you for your question.
First, both the HIPAA Act and the HITECH Act give patients the legal right to obtain copies of their medical records. The patient gets to choose which method to use for obtaining his/her medical records.
I do not understand your comment that you are receiving requests for medical records from attorneys “without a signature by the former patients”. The patient must sign either a proper HIPAA authorization or a proper HITECH request in order to obtain his/her medical records.
Although the request for records usually comes from the attorney, the attorney must always provide either a HIPAA authorization or a HITECH request signed by the patient. Without a signature from the patient, a request for medical records under either method is not valid.
Second, the legal right to obtain copies of medical records is held by the patient. The attorney is acting on behalf of the patient as his/her authorized representative. Usually, the HIPAA authorization or the HITECH request authorizes or instructs the records custodian to provide the records directly to the attorney.
Third, neither the HIPAA Act nor the HITECH Act place any limitations on the patient as to the purpose for his/her request. Thus, it makes no difference why the patient (or his/her attorney) is requesting the records. The records custodian must comply with the request.
Appreciate you sharing this information with colleagues. Such practice is only good for all and assures proper advocacy is practices in representation of our clients.
Thank you for sharing this information Attorney Paletta. I have run into my first roadblocks in utilizing a HITECH request for a client, and I expect your advice will help to ensure compliance. (Surprising that a nearly 10-year old federal law is still so difficult to enforce, no?)
– Attorney Johns (Connecticut)
Very interesting article. Out of curiosity, how does Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1080 (9th Cir. 2007) interact with your method. Is it that your model includes the client making his own request, which is merely forwarded to the provider by the attorney’s office?