WARNING. NEW CASE LAW. The law on HITECH medical records requests has changed due to the recent CIOX Health case. A newer blog that discusses how the CIOX Health case affects HITECH medical records requests can be found here.
The HITECH Act is an excellent tool attorneys can use to obtain medical records at a lower cost. Disability attorneys, workers compensation attorneys and personal injury attorneys spend thousands of dollars each year obtaining the medical records of their clients. Historically, attorneys have used a HIPAA authorization to obtain these records.
HIPAA (the Health Insurance Portability and Accountability Act of 1996) has a Privacy Rule that gives individuals the legal right to obtain copies of their medical records. This Rule requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information about them in one or more “designated record sets” maintained by or for the covered entity. A “designated records set” is defined at 45 C.F.R. 164.501 as a group of records maintained by or for a covered entity.
The Health Information Technology for Economic and Clinical Health Act, known as the “HITECH Act”, provides a new method to obtain medical records at substantial cost savings. Pursuant to 42 USC 17935 (e) (1), if a covered entity maintains electronic health records
“. . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific, . . .”
Obtaining medical records via a HITECH request has three important advantages over using a HIPAA authorization.
1. Simplicity. The HITECH medical request must
(i) be in writing;
(ii) signed by the Client;
(iii) identify the attorney and where to send the records.
The necessary wording of a HITECH medical records request is much simpler than the necessary wording of a HIPAA authorization.
2. Time Deadline. The covered entity must respond to a HITECH medical records request within 30 days after the request is received. See 45 CFR 164.524 (b) (2) (i). The HIPAA authorization does not have a time deadline.
3. Fees. The fees a covered entity can charge to respond to a HITECH medical records request are strictly limited by 45 C.F.R. §164.524 (c) (4). In most cases, the fee cannot exceed $6.50. See HHS FAQ 45 CFR 164.524 at page 15. This fee limitation applies to any vendor hired by the covered entity to respond to the HITECH request. See HHS FAQ 45 CFR 164.524 at page 13. Further, the HITECH Act is a federal law that supercedes all State laws pertaining to the cost of medical records.
Limitations on Hitech Medical Records Request.
A HITECH Medical Records Request has two important limitations attorneys should be aware of. First, it ONLY applies to electronic records. If the health care provider only maintains paper records, the HITECH request does NOT apply. Second, psychotherapy notes are exempt from a HITECH Records Request. See 45 CFR 164.524 (a) (1) (i).
Enforcement of the Hitech Act.
If the HITECH medical records request is denied, I suggest you call the medical records supervisor. My experience has been a phone call is often necessary, and most of the time prompt compliance occurs.
If the call does not resolve the issue, I suggest you send a detailed letter with citations to the relevant authority, with attachments of the relevant authority, with a 10 day deadline for a response. Click on “Response to denial of Hitech request“ for a sample letter.
If that letter does not work, I suggest you file a complaint with the Office of Civil Rights (OCR) in the US Dept of Health & Human Services. See https://www.hhs.gov/ocr/complaints/index.html.
Practice Tips for using HITECH Medical Records Requests.
1. The individual, NOT the health care provider, gets to choose the method for obtaining medical records. See 45 CFR 164.524 (b) (1) and (c) (2).
2. The attorney should NOT send a HIPAA authorization with the HITECH medical records request. The HIPAA authorization might give the covered entity a basis to disregard the HITECH fee limitation.
3. Some vendors such as MRO argue that the fee limitation under the HITECH Act does not apply to requests made by third parties such as law firms. This argument is valid if the attorney requests medical records using a standard Release form.
4. Important Update. The Adoption of ONC’s Cures Act Final Rule has a major impact on access to medical records. For more information click on ONC’s Cures Act Final Rule.
However, the HITECH form I use is a request from the patient (not the attorney) to the covered entity. Further, 42 U.S.C. §17935 (e) (1) specifically allows the patient to direct the covered entity to transmit records to any person designated by the patient. In a few instances, it has been necessary to mail the HITECH medical records request, with no other documents, to the covered entity in an envelope with the patient’s return address.
Authorities for HITECH. The Federal legal authority for a HITECH Medical Records Request can be read and downloaded by clicking on the documents below.
Federal Register Vol. 78, No. 17, pgs. 5631 – 5637.
Sample Forms. Sample forms can be read and downloaded by clicking on the documents below.
HITECH Medical Records Request.
Response to denial of Hitech Medical Records Request.
If you found this Blog helpful, please do me a favor and post a favorable comment below. Thank you.
This Article was updated by Attorney David R. Paletta on August 1, 2019.
Disability Attorney David R. Paletta
If we submit a HIPAA authorization signed by our client and are told by the facility that they will need to print several hundred pages of electronic records, which will cost upwards of $300, can we ask them to release instead under HITECH, without getting a new authorization? Or will our client need to sign a new HITECH auth if we want to get the electronic records on CD?
The client must sign a HITECH authorization.
Per the change in the HITECH act, i’m still a bit confused. Is this saying the only way to get around having to pay more then $6.50 for records is by using a HITECH form signed by the client and NOT the usual HIPAA form we use? Also, I’ve tried going this route a few times and I’ve been sent records for the $6.50 fee but it’s necessary that the records and bills must be certified as well and by going this route, they are not signing Certifications/Affidavits because it was the at the $6.50 HITECH rate requested by the “client” and technically not the lawfirm. Does it mean that if we want the certifications attached that we must go the HIPAA request route and pay the higher fee? How do we get around this? Thank You!
I work in NC where health care providers do not provide Certifications or Affidavits so I am not familiar with that procedure.
This was really helpful. I am in a Doctor’s office. I had a law office pay the $6.50 for the patient’s record in electronic format a few months ago. Now they are again requesting updated records in electronic format – Can I charge them the $6.50 again or the previous $6.50 covers them for complete access from now on for this patient’s record. I didn’t know if I could charge every time they request for this patient as I will be having to use a new disc everytime.
Yes. You may charge $6.50 per request.
We get a lot of requests from a local injury attorney who requests records under HITECH, but the “letter” is on their letterhead, so it is not technically a request from the patient. Their letter also includes all required elements of a normal HIPAA authorization. Since the request is coming from the attorney’s office and has all of the elements of a HIPAA authorization, can we charge the normal 3rd party fees allowed by our state?
To take advantage of the HITECH fee limitation, a HITECH records request signed by the patient must be submitted. Further, since the CIOX case, the HITECH records request must be submitted by the patient, not the attorney. See https://www.paletta.org/disabilitylawblog/hitech-medical-records-requests-the-ciox-health-case/
Also, if 45 C.F.R. §164.502(g) states that a covered entity must treat a personal representative as the individual, I would say that an attorney is “a” personal representative of the individual. Even if the provider argued the attorney is not a personal representative, I would think the lawyer could easily sidestep that by adding that to his retainer with the client. What do you think?
Regarding the Ciox Health, LLC v. Azar, Case No. 18-cv-00040 (APM)].
My understanding is that any decision from the District Court for the District of Columbia is not binding in other courts, state or federal. The decision of a court has precedent value only within the court’s territorial jurisdiction. For example, decisions of a federal district court are not binding on federal courts in any other district. For example, in Michigan we are bound by federal circuit court opinions from the 6th Circuit Court of Appeals which covers Michigan, Ohio, Kentucky, and Tennessee. The District of Columbia is part of the 4th Circuit Court.
What do you think if the provider refuses to charge $6.50 based on the Ciox case from District of Columbia when that is not the district we are in?
You are legally correct. However, it appears that the US Department of Health & Human Services (HHS) will not contest the decision. If HHS accepts the decision, then it will not enforce the $6.50 limit for HITECH requests sent in by attorneys.
Have you read up on the new HITECH guidelines which revokes the $6.50 fee limitation which will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party? It seems many law firms are trying to navigate a way around this and in the meantime having to make the necessary changes to terminology on their medical record request letters. If the law firm themselves is submitting the request with the clients signed Authorization form, are we to remove any terminolgy r.e. the HITECH act? Is their any benefit of the HITECH act on lawfirms any longer? It’s necessary that the records and bills be certified as well and the Hospitals and other institutions won’t sign that if the records are sent directly to the clients address. It’s all very confusing to me. Any input?
Thank You!
Yes. In response to the CIOX Health case, I have written 2 new blogs – HITECH Medical Records Requests & the CIOX Health Case and MyChart Accounts – A Better Alternative to HITECH.
The 1st blog discusses how CIOX Health affects HITECH medical records requests. The 2nd blog discusses how MyChart Accounts are now a better alternative to HITECH medical records requests.
Thank You, I’ll check out both those blogs.
There is still work involved in reviewing and sending electronic records in an electronic format. The work involved is more costly than $6.50 per hour, especially for large client charts. How is this fairly compensated in the HITECH ACT?
The $6.50 reflects a public policy that patients should be able to get their records at a minimum cost. It also reflects new technology in which it does not cost more to copy a 1,000 page electronic file than it does to copy a 10 page electronic file. HITECH does allow a provider to charge more than $6.50 if it documents higher costs associated with copying a particular file.
As more providers allow patients to create MyChart accounts, that may become the new method to provide records to patients and their attorneys.
I have a question as a provider, I have EMR, ( I am a Certified Hand Therapist/OT) in private practice. I have a HiTech records request for a patient that would be an entire ream of paper if printed. I can not back up on disc or thumbdrive from my EMR. I have contacted them and they also can not produce the records electronically. I am not able to produce the records electronically and the fee of $6 is honestly ridiculous. Please let me know your thoughts.
Thank You
Linda Stanley, OTR/L, CHT
I am not familiar with EMR. Could you explain what EMR is?
EMR Electronic Medical Records….. It is the systems medical practitioners use for documentation if they do not use paper any longer.
The statute says if records are kept electronically, the provider shall provide an electronic copy. It also says if the provider documents its actual cost for reproduction, the provider can charge more than $6.50.
There is also a new case, which I have not had time to fully analyze, that appears to state the $6.50 limitation does not apply to requests from attorneys. I plan to review this case in the near future.
you can download a PDF convert program to use instead of a “normal” printer.
Check out https://www.cutepdf.com/index.htm
Good suggestion. Thank you.
Opinions as to CIOX HEALTH, LLC v. HARGAN et al, No. 1:2018cv00040.
Yes. In response to the CIOX Health case, I have written 2 new blogs – “HITECH Medical Records Requests & the CIOX Health Case” and “MyChart Accounts – A Better Alternative to HITECH“.
The 1st blog discusses how CIOX Health affects HITECH medical records requests. The 2nd blog discusses how MyChart Accounts are now a better alternative to HITECH medical records requests.
When sending the HITECH request to providers on behalf of the patient (Request has been physically signed by patient) can the provider deny the request for medical records stating that it needs to have an expiration date?
No. There is nothing in the HITECH law that gives a records provider the authority to add additional requirements to the HITECH authorization.
Hello,
Thank you for this explanation of this process. This is the best bit of information in lay terms I have found yet! I am curious as to the signature. It is very clear that Attorneys will draft up the same letter for their clients, and electronically sign it, /s/ Client Name. Is this considered a legally signed request, from the individual? When these are received, a hand signed HIPAA release is enclosed with the request, both of which come from the Attorney, not the individual (direct). I am on the fence about this as I feel if the client is hiring an Attorney to work on their behalf, it should be acceptable, however the rules make it sound that this may not actually be the case.
Again, I am glad I found this article with all the links etc. and find it extremely helpful, but could use some clarification on the signature piece and when the request is accompanied by the actual signed HIPAA, from the Attorney – and all communication is done through the Attorney, not the individual. This actually leads me to ask one more question, with the request having being from “the individual”, who receives the bill, the requestor, or the attorney? THANKS SO MUCH!
“I am curious as to the signature. It is very clear that Attorneys will draft up the same letter for their clients, and electronically sign it, /s/ Client Name. Is this considered a legally signed request, from the individual?” No. I believe HITECH requires a signature from the client. I usually have my client sign a pdf document on an iPad with an electronic pencil.
“When these are received, a hand signed HIPAA release is enclosed with the request, both of which come from the Attorney, not the individual (direct). I am on the fence about this as I feel if the client is hiring an Attorney to work on their behalf, it should be acceptable, however the rules make it sound that this may not actually be the case.” Most providers accept a HITECH request signed by the client sent by the attorney. A few providers require the HITECH request to be sent by the client. I disagree with that but it is simple to comply with.
“This actually leads me to ask one more question, with the request having being from “the individual”, who receives the bill, the requestor, or the attorney?” The bill is always sent to me.
So would you say that from the provider point of view, if the Attorney is using the template letter and adding a signature as mentioned above (/s/ Individual Name), it can be dismissed as a HITECH request? In which case, we have the right to still request the standard fee for our state? Unless of course the Attorney wishes to resend the HITECH form with a valid signature. There is one Attorney in particular that we deal with who uses the same letter format and this generic signature to avoid making any payment, even at the HITECH rate.
I agree with you. A HITECH request must be signed by the patient (client) whose records are being requested.
I just learned about the HITECH ACT a few months ago and have been trying to use it (injury case) to get my medical records. How do you handle an all electric PT doctors office (even sign in on a tablet) that says they cannot provide electronic records, only printed paper copies?
42 USC 17935 (e) (1) provides that if a covered entity maintains electronic health records, “. . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format . . .” This office is clearly required to produce electronic records.
Personally, I start with the soft approach, which usually works. In this instance I would call the office manager, explain HITECH, provide a copy of 42 USC 17935 (e) (1), and point out penalties for noncompliance. There should be a simple way for this office to produce an electronic copy of records.
For non-electronic record, the client can still make a PHI request under HIPAA and the cost is much the same. The problem I am running into is that in Texas we need affidavits for both the billing and medical records and the providers who use intermediate companies to handle their records refuse to provide those unless we pay for all the records and make the request through our firm. In other words, we can get the records without the affidavits with a PHI request but if we want the affidavits, we also have to pay for the records which accompany the affidavits.
Thank you for sharing this information.
From what I understand the Hitech act does not apply to Billing records (UB or HCFA, itemized statements, or affidavits) correct?
HITECH applies to billing records, because billing records are included in the definition of “designated records set”. See 45 C.F.R. 164.501. I have added a link to the text of 45 C.F.R. 164.501 in the article. HITECH applies to all protected health information in a ““designated record set” maintained by the covered entity.
Thank you for this information. Are all type of providers supposed to abide by HITECH guidelines or only hospitals? As a requester I get a lot of push back from Psychologists, nursing homes, physical therapists and chiropractor offices and I am not certain if they are exempt from this?
Thank you for your question. The HITECH Act has two important limitations. First, it ONLY applies to electronic records. If the health care provider only maintains paper records, HITECH does NOT apply. Second, psychotherapy notes are exempt from a HITECH Records Request. See 45 CFR 164.524 (a) (1) (i). HITECH applies to nursing homes, physical therapists and chiropractors IF they use electronic records. HITECH does NOT apply to psychologists.
This information is priceless and will save our clients a lot of money.
Thank you for sharing your knowledge.
Thank you for this immensely helpful blog. I refer to this site several times throughout my work as a legal assistant.
I have recently come into difficulty with getting an invoice adjusted via the HITECH act due to a patient’s being deceased.
Have you ever had any trouble getting a HITECH request fulfilled due to a client being deceased?
Thank you.
You have raised an interesting question. Take a look at 42 USC 17935 (e) (1). It states “… the individual shall have a right …”. If the individual is deceased, then a HITECH request form signed by the decedent is no longer valid.
Can the personal representative for an estate sign a HITECH request form? The statute does not explicitly allow a personal representative to do so. I can see an argument for and against. I have not yet seen a definitive answer to this interesting question.
Great article. As a medical providers office that keeps electronic records but can not produce the medical records in an electronic form are we required to charge only the $6.50 fee.
Our EMR does not make it possible to burn a CD with a records or save them as a PDF. We have to print all records. So when we are providing these records our costs are well above $6.50 to produce them and mail.
Good question. Take a look at 42 USC 17935 (e) (1). If you click on this statute in the article the statute will appear in a separate window.
42 USC 17935 (e) (1) states “if the covered entity uses or maintains an electronic health record”, then “the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format . . . .”
I interpret this statute to require your EMR to be updated to allow it to produce medical records in an electronic form. I have not personally researched this interesting question but I suspect somewhere in The Health Information Technology for Economic and Clinical Health Act there is such a requirement.
There may be a simple technical solution to your question. When I want to print a document on my computer, I have several options. I can send the document to my printer for a hard copy, or I can send the document to “Adobe PDF” or “Microsoft Print to PDF” and that will create an electronic pdf file on my computer (as if I had scanned the document). Please feel free to email me directly at dpaletta@att.net if you want to explore that option further.
So helpful! Thank you!
I am new to the Hitech records request arena. This was extremely helpful especially considering the fact that I sought assistance from those more seasoned than me and they had no knowledge of what I was inquiring about.
Thank you
I have been using HITECH medical record requests for a few years now. Each year the process gets smoother. There are some medical records providers who waive the $6.50 fee.
Thank you for providing this information. If a medical office maintains both electronic and paper records, are they required to scan the paper records and provide them along with the electronic records pursuant to HITECH?
Good question. HITECH only applies to electronic records. The HITECH fee limitation does NOT apply to paper records. I specifically direct the health care provider to NOT send me paper records. See the sample Attorney Letter.
However, if I am aware there are paper records that are needed, I will request those paper records knowing that I will have to pay the copying fee for the paper records which is usually set by state statute.
You should also be aware that HITECH does NOT apply to psychiatric records. However, I have been pleasantly surprised that most hospitals provide me with psychiatric records at the lower HITECH rate.
This is gold! Thank you!
Is a medical office in violation of federal law if they do not have EMR or any other way of producing electronic medical records? Just now learning about HITECH.
I have never researched the issue – does the Hitech Act require a medical provider to have electronic records? It has certainly become the norm for almost all medical providers.
The old fashioned way of getting medical records with a HIPPA form is costly and time consuming. I’m thrilled to learn of an alternative means to get records. Thank you.
I agree. And, the more attorneys that use the HITECH option, the more health care providers will come to accept HITECH as the new norm.
How are you successful in receiving records with only the HITECH letter and not a HIPAA authorization? We have many providers who reject our requests stating they require an authorization with the HITECH letter. Have you experienced this and how do you think we can get them to fulfill our requests with only the HITECH request letter? Thank you!
How are you successful in receiving records with only the HITECH letter and not a HIPAA authorization?
I have had mixed success.
We have many providers who reject our requests stating they require an authorization with the HITECH letter.
I have had this experience also usually from the major medical facilities. I do not believe a health care provider can require a patient or his/her attorney to use the facilities’ unique authorization form. However, I go ahead and have my client sign the facilities’ unique authorization form because my goal is to get the records as quickly as possible and at the lowest cost possible. All of these facilities have billed me at the lower Hitech rate of $6.50 per set of records.
Have you experienced this and how do you think we can get them to fulfill our requests with only the HITECH request letter?
The question for each law firm is what battles do you want to fight over? I have chosen not to spend hours arguing with major medical facilities when I can get their unique authorization form signed by my client in a few minutes.
Do the HITECH rules of HIPAA(example fees)pertain to paper medical billing records(not medical records)sent to attorneys offices? Thanks so much.
Individuals have a right to access protected health information in a “designated record set”. Billing records are included in a “designated record set” pursuant to 45 CFR 164.501(1)(i).
However, the Hitech rules only apply when the health care provider maintains the information in an electronic format. Hitech rules do NOT apply to paper records. See 42 U.S.C. §17935 (e) (1).
As a provider can attorneys use The HITECH Act to obtain records to determine if a patient or former patient has an “actionable” case against the former provider?
I ask this because I have found myself receiving quite a number of requests for medical records coming directly from the attorneys with HIPAA Release forms and without a signature by the former patients.
Just curious if this is being used so the attorneys do not have to pay to receive medical records.
Thank you for your question.
First, both the HIPAA Act and the HITECH Act give patients the legal right to obtain copies of their medical records. The patient gets to choose which method to use for obtaining his/her medical records.
I do not understand your comment that you are receiving requests for medical records from attorneys “without a signature by the former patients”. The patient must sign either a proper HIPAA authorization or a proper HITECH request in order to obtain his/her medical records.
Although the request for records usually comes from the attorney, the attorney must always provide either a HIPAA authorization or a HITECH request signed by the patient. Without a signature from the patient, a request for medical records under either method is not valid.
Second, the legal right to obtain copies of medical records is held by the patient. The attorney is acting on behalf of the patient as his/her authorized representative. Usually, the HIPAA authorization or the HITECH request authorizes or instructs the records custodian to provide the records directly to the attorney.
Third, neither the HIPAA Act nor the HITECH Act place any limitations on the patient as to the purpose for his/her request. Thus, it makes no difference why the patient (or his/her attorney) is requesting the records. The records custodian must comply with the request.
Appreciate you sharing this information with colleagues. Such practice is only good for all and assures proper advocacy is practices in representation of our clients.
Thank you for sharing this information Attorney Paletta. I have run into my first roadblocks in utilizing a HITECH request for a client, and I expect your advice will help to ensure compliance. (Surprising that a nearly 10-year old federal law is still so difficult to enforce, no?)
– Attorney Johns (Connecticut)
Very interesting article. Out of curiosity, how does Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1080 (9th Cir. 2007) interact with your method. Is it that your model includes the client making his own request, which is merely forwarded to the provider by the attorney’s office?
Thank you so much for this post, Attorney Paletta! I have the same exact question as Jarrett. I read that case as well as Bocage v. Acton Corp._ 2018 U.S. Dist. and Rios v. Partners in Primary Care_ P.A._ 2019 U.S. Dist. I also looked at this link for guidance. LINK: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html My understanding is that it would be improper for the attorney to make a request, and that the patient should be the one making his or her own request instead of signing the request of the attorney. My understanding was also that the client’s own request could be forwarded to the provider by the attorney’s office.
Thank you for your comment and questions.
QUESTION 1. “How does Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1080 (9th Cir. 2007) interact with your method. Is it that your model includes the client making his own request, which is merely forwarded to the provider by the attorney’s office?”
REPLY.
The Webb case does NOT apply to the Hitech requests. The Webb case is based upon the HIPAA Act which is a different federal law with a different legislative history than the HITECH Act. However, even if the case applied, the form and procedure I use conform to the ruling in Webb.
Both the HIPAA Act and the HITECH Act give patients the legal right to obtain copies of their medical records. The patient gets to choose which method to use for obtaining his/her medical records.
Clearly, the patient MUST sign a proper HITECH request in order to obtain his/her medical records. The legal right to obtain copies of medical records is held by the patient, not the attorney.
QUESTION 2. “My understanding is that it would be improper for the attorney to make a request, and that the patient should be the one making his or her own request instead of signing the request of the attorney.”
REPLY. I agree. Please see the Request Form provided above. The patient MUST sign the HITECH request form.
QUESTION 3. “My understanding was also that the client’s own request could be forwarded to the provider by the attorney’s office.”
REPLY. I agree.
Federal law specifically recognizes the patient’s right to direct the covered entity to send the medical records to a designated person. See 42 USC 17935 (e) (1) quoted above. Clearly, (e) (1) means the patient can tell the provider to send medical records to the attorney.
A few records providers have taken the position that the HITECH request must physically come from the patient. I disagree and believe those providers are in direct violation of 42 USC 17935 (e) (1).