WARNING. NEW CASE LAW. The law on HITECH medical records requests has changed due to the recent CIOX Health case. A newer blog that discusses how the CIOX Health case affects HITECH medical records requests can be found here.

The HITECH Act is an excellent tool attorneys can use to obtain medical records at a lower cost. Disability attorneys, workers compensation attorneys and personal injury attorneys spend thousands of dollars each year obtaining the medical records of their clients. Historically, attorneys have used a HIPAA authorization to obtain these records.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) has a Privacy Rule that gives individuals the legal right to obtain copies of their medical records. This Rule requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information about them in one or more “designated record sets” maintained by or for the covered entity. A “designated records set” is defined at  45 C.F.R. 164.501 as a group of records maintained by or for a covered entity.

The Health Information Technology for Economic and Clinical Health Act, known as the “HITECH Act”, provides a new method to obtain medical records at substantial cost savings. Pursuant to 42 USC 17935 (e) (1), if a covered entity maintains electronic health records

“. . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific, . . .”

Obtaining medical records via a HITECH request has three important advantages over using a HIPAA authorization.

1. Simplicity. The HITECH medical request must

(i)   be in writing;

(ii)  signed by the Client;

(iii) identify the attorney and where to send the records.

The necessary wording of a HITECH medical records request is much simpler than the necessary wording of a HIPAA authorization.

2. Time Deadline. The covered entity must respond to a HITECH medical records request within 30 days after the request is received. See 45 CFR 164.524 (b) (2) (i). The HIPAA authorization does not have a time deadline.

3. Fees. The fees a covered entity can charge to respond to a HITECH medical records request are strictly limited by 45 C.F.R. §164.524 (c) (4). In most cases, the fee cannot exceed $6.50. See  HHS FAQ 45 CFR 164.524 at page 15. This fee limitation applies to any vendor hired by the covered entity to respond to the HITECH request. See  HHS FAQ 45 CFR 164.524 at page 13. Further, the HITECH Act is a federal law that supercedes all State laws pertaining to the cost of medical records.

Limitations on Hitech Medical Records Request.

A HITECH Medical Records Request has two important limitations attorneys should be aware of. First, it ONLY applies to electronic records. If the health care provider only maintains paper records, the HITECH request does NOT apply. Second, psychotherapy notes are exempt from a HITECH Records Request. See 45 CFR 164.524 (a) (1) (i).

Enforcement of the Hitech Act.

If the HITECH medical records request is denied, I suggest you call the medical records supervisor. My experience has been a phone call is often necessary, and most of the time prompt compliance occurs.

If the call does not resolve the issue, I suggest you send a detailed letter with citations to the relevant authority, with attachments of the relevant authority, with a 10 day deadline for a response. Click on “Response to denial of Hitech request for a sample letter.

If that letter does not work, I suggest you file a complaint with the Office of Civil Rights (OCR) in the US Dept of Health & Human Services. See https://www.hhs.gov/ocr/complaints/index.html.

Practice Tips for using HITECH Medical Records Requests.

1.  The individual, NOT the health care provider, gets to choose the method for obtaining medical records. See  45 CFR 164.524 (b) (1) and (c) (2).

2.  The attorney should NOT send a HIPAA authorization with the HITECH medical records request. The HIPAA authorization might give the covered entity a basis to disregard the HITECH fee limitation.

3. Some vendors such as MRO argue that the fee limitation under the HITECH Act does not apply to requests made by third parties such as law firms. This argument is valid if the attorney requests medical records using a standard Release form.

4. Important Update. The Adoption of ONC’s Cures Act Final Rule has a major impact on access to medical records. For more information click on ONC’s Cures Act Final Rule.

However, the HITECH form I use is a request from the patient (not the attorney) to the covered entity. Further, 42 U.S.C. §17935 (e) (1) specifically allows the patient to direct the covered entity to transmit records to any person designated by the patient. In a few instances, it has been necessary to mail the HITECH medical records request, with no other documents, to the covered entity in an envelope with the patient’s return address.


Authorities for HITECH. The Federal legal authority for a HITECH Medical Records Request can be read and downloaded by clicking on the documents below.

42 USC 17935.

45 C.F.R. 164.501

45 CFR 164.524.

HHS_FAQ_45 CFR 164.524.

Federal Register Vol. 78, No. 17, pgs. 5631 – 5637.

Sample Forms.  Sample forms can be read and downloaded by clicking on the documents below.

HITECH Medical Records Request.

Attorney Letter.

Response to denial of Hitech Medical Records Request.

If you found this Blog helpful, please do me a favor and post a favorable comment below. Thank you.

This Article was updated by Attorney David R. Paletta on August 1, 2019.

HITECH Medical Records

Disability Attorney David R. Paletta