The HITECH Act is an excellent tool attorneys can use to obtain medical records at a lower cost. Disability attorneys, workers compensation attorneys and personal injury attorneys spend thousands of dollars each year obtaining the medical records of their clients. Historically, attorneys have used a HIPAA authorization to obtain these records.
HIPAA (the Health Insurance Portability and Accountability Act of 1996) has a Privacy Rule that gives individuals the legal right to obtain copies of their medical records. This Rule requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information about them in one or more “designated record sets” maintained by or for the covered entity. A “designated records set” is defined at 45 C.F.R. 164.501 as a group of records maintained by or for a covered entity.
The Health Information Technology for Economic and Clinical Health Act, known as the “HITECH Act”, provides a new method to obtain medical records at substantial cost savings. Pursuant to 42 USC 17935 (e) (1), if a covered entity maintains electronic health records
“. . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific, . . .”
Obtaining medical records via a HITECH request has three important advantages over using a HIPAA authorization.
1. Simplicity. The HITECH medical request must
(i) be in writing;
(ii) signed by the Client;
(iii) identify the attorney and where to send the records.
Click on HITECH Medical Records Request to see a sample request. The necessary wording of a HITECH medical records request is much simpler than the necessary wording of a HIPAA authorization.
2. Time Deadline. The covered entity must respond to a HITECH medical records request within 30 days after the request is received. See 45 CFR 164.524 (b) (2) (i). The HIPAA authorization does not have a time deadline.
3. Fees. The fees a covered entity can charge to respond to a HITECH medical records request are strictly limited by 45 C.F.R. §164.524 (c) (4). In most cases, the fee cannot exceed $6.50. See HHS FAQ 45 CFR 164.524 at page 15. This fee limitation applies to any vendor hired by the covered entity to respond to the HITECH request. See HHS FAQ 45 CFR 164.524 at page 13. Further, the HITECH Act is a federal law that supercedes all State laws pertaining to the cost of medical records.
Limitations on Hitech Medical Records Request.
A HITECH Medical Records Request has two important limitations attorneys should be aware of. First, it ONLY applies to electronic records. If the health care provider only maintains paper records, the HITECH request does NOT apply. Second, psychotherapy notes are exempt from a HITECH Records Request. See 45 CFR 164.524 (a) (1) (i).
Enforcement of the Hitech Act.
If the HITECH medical records request is denied, I suggest you call the medical records supervisor. My experience has been a phone call is often necessary, and most of the time prompt compliance occurs.
If the call does not resolve the issue, I suggest you send a detailed letter with citations to the relevant authority, with attachments of the relevant authority, with a 10 day deadline for a response. Click on “Response to denial of Hitech request“ for a sample letter.
If that letter does not work, I suggest you file a complaint with the Office of Civil Rights (OCR) in the US Dept of Health & Human Services. See https://www.hhs.gov/ocr/complaints/index.html.
Practice Tips for using HITECH Medical Records Requests.
1. The individual, NOT the health care provider, gets to choose the method for obtaining medical records. See 45 CFR 164.524 (b) (1) and (c) (2).
2. The attorney should NOT send a HIPAA authorization with the HITECH medical records request. The HIPAA authorization might give the covered entity a basis to disregard the HITECH fee limitation.
3. Some vendors such as MRO argue that the fee limitation under the HITECH Act does not apply to requests made by third parties such as law firms. This argument is valid if the attorney requests medical records using a standard Release form.
However, the HITECH form I use is a request from the patient (not the attorney) to the covered entity. Further, 42 U.S.C. §17935 (e) (1) specifically allows the patient to direct the covered entity to transmit records to any person designated by the patient. In a few instances, it has been necessary to mail the HITECH medical records request, with no other documents, to the covered entity in an envelope with the patient’s return address.
Authorities for HITECH. The Federal legal authority for a HITECH Medical Records Request can be read and downloaded by clicking on the documents below.
Federal Register Vol. 78, No. 17, pgs. 5631 – 5637.
Sample Forms. Sample forms can be read and downloaded by clicking on the documents below.
HITECH Medical Records Request.
Response to denial of Hitech Medical Records Request.
If you found this Blog helpful, please do me a favor and post a favorable comment below. Thank you.
This Article was updated by Attorney David R. Paletta on August 1, 2019.
Disability Attorney David R. Paletta
This information is priceless and will save our clients a lot of money.
Thank you for sharing your knowledge.
Thank you for this immensely helpful blog. I refer to this site several times throughout my work as a legal assistant.
I have recently come into difficulty with getting an invoice adjusted via the HITECH act due to a patient’s being deceased.
Have you ever had any trouble getting a HITECH request fulfilled due to a client being deceased?
Thank you.
You have raised an interesting question. Take a look at 42 USC 17935 (e) (1). It states “… the individual shall have a right …”. If the individual is deceased, then a HITECH request form signed by the decedent is no longer valid.
Can the personal representative for an estate sign a HITECH request form? The statute does not explicitly allow a personal representative to do so. I can see an argument for and against. I have not yet seen a definitive answer to this interesting question.
Great article. As a medical providers office that keeps electronic records but can not produce the medical records in an electronic form are we required to charge only the $6.50 fee.
Our EMR does not make it possible to burn a CD with a records or save them as a PDF. We have to print all records. So when we are providing these records our costs are well above $6.50 to produce them and mail.
Good question. Take a look at 42 USC 17935 (e) (1). If you click on this statute in the article the statute will appear in a separate window.
42 USC 17935 (e) (1) states “if the covered entity uses or maintains an electronic health record”, then “the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format . . . .”
I interpret this statute to require your EMR to be updated to allow it to produce medical records in an electronic form. I have not personally researched this interesting question but I suspect somewhere in The Health Information Technology for Economic and Clinical Health Act there is such a requirement.
There may be a simple technical solution to your question. When I want to print a document on my computer, I have several options. I can send the document to my printer for a hard copy, or I can send the document to “Adobe PDF” or “Microsoft Print to PDF” and that will create an electronic pdf file on my computer (as if I had scanned the document). Please feel free to email me directly at dpaletta@att.net if you want to explore that option further.
So helpful! Thank you!
I am new to the Hitech records request arena. This was extremely helpful especially considering the fact that I sought assistance from those more seasoned than me and they had no knowledge of what I was inquiring about.
Thank you
I have been using HITECH medical record requests for a few years now. Each year the process gets smoother. There are some medical records providers who waive the $6.50 fee.
Thank you for providing this information. If a medical office maintains both electronic and paper records, are they required to scan the paper records and provide them along with the electronic records pursuant to HITECH?
Good question. HITECH only applies to electronic records. The HITECH fee limitation does NOT apply to paper records. I specifically direct the health care provider to NOT send me paper records. See the sample Attorney Letter.
However, if I am aware there are paper records that are needed, I will request those paper records knowing that I will have to pay the copying fee for the paper records which is usually set by state statute.
You should also be aware that HITECH does NOT apply to psychiatric records. However, I have been pleasantly surprised that most hospitals provide me with psychiatric records at the lower HITECH rate.
This is gold! Thank you!
Is a medical office in violation of federal law if they do not have EMR or any other way of producing electronic medical records? Just now learning about HITECH.
I have never researched the issue – does the Hitech Act require a medical provider to have electronic records? It has certainly become the norm for almost all medical providers.
The old fashioned way of getting medical records with a HIPPA form is costly and time consuming. I’m thrilled to learn of an alternative means to get records. Thank you.
I agree. And, the more attorneys that use the HITECH option, the more health care providers will come to accept HITECH as the new norm.
How are you successful in receiving records with only the HITECH letter and not a HIPAA authorization? We have many providers who reject our requests stating they require an authorization with the HITECH letter. Have you experienced this and how do you think we can get them to fulfill our requests with only the HITECH request letter? Thank you!
How are you successful in receiving records with only the HITECH letter and not a HIPAA authorization?
I have had mixed success.
We have many providers who reject our requests stating they require an authorization with the HITECH letter.
I have had this experience also usually from the major medical facilities. I do not believe a health care provider can require a patient or his/her attorney to use the facilities’ unique authorization form. However, I go ahead and have my client sign the facilities’ unique authorization form because my goal is to get the records as quickly as possible and at the lowest cost possible. All of these facilities have billed me at the lower Hitech rate of $6.50 per set of records.
Have you experienced this and how do you think we can get them to fulfill our requests with only the HITECH request letter?
The question for each law firm is what battles do you want to fight over? I have chosen not to spend hours arguing with major medical facilities when I can get their unique authorization form signed by my client in a few minutes.
Do the HITECH rules of HIPAA(example fees)pertain to paper medical billing records(not medical records)sent to attorneys offices? Thanks so much.
Individuals have a right to access protected health information in a “designated record set”. Billing records are included in a “designated record set” pursuant to 45 CFR 164.501(1)(i).
However, the Hitech rules only apply when the health care provider maintains the information in an electronic format. Hitech rules do NOT apply to paper records. See 42 U.S.C. §17935 (e) (1).
As a provider can attorneys use The HITECH Act to obtain records to determine if a patient or former patient has an “actionable” case against the former provider?
I ask this because I have found myself receiving quite a number of requests for medical records coming directly from the attorneys with HIPAA Release forms and without a signature by the former patients.
Just curious if this is being used so the attorneys do not have to pay to receive medical records.
Thank you for your question.
First, both the HIPAA Act and the HITECH Act give patients the legal right to obtain copies of their medical records. The patient gets to choose which method to use for obtaining his/her medical records.
I do not understand your comment that you are receiving requests for medical records from attorneys “without a signature by the former patients”. The patient must sign either a proper HIPAA authorization or a proper HITECH request in order to obtain his/her medical records.
Although the request for records usually comes from the attorney, the attorney must always provide either a HIPAA authorization or a HITECH request signed by the patient. Without a signature from the patient, a request for medical records under either method is not valid.
Second, the legal right to obtain copies of medical records is held by the patient. The attorney is acting on behalf of the patient as his/her authorized representative. Usually, the HIPAA authorization or the HITECH request authorizes or instructs the records custodian to provide the records directly to the attorney.
Third, neither the HIPAA Act nor the HITECH Act place any limitations on the patient as to the purpose for his/her request. Thus, it makes no difference why the patient (or his/her attorney) is requesting the records. The records custodian must comply with the request.
Appreciate you sharing this information with colleagues. Such practice is only good for all and assures proper advocacy is practices in representation of our clients.
Thank you for sharing this information Attorney Paletta. I have run into my first roadblocks in utilizing a HITECH request for a client, and I expect your advice will help to ensure compliance. (Surprising that a nearly 10-year old federal law is still so difficult to enforce, no?)
– Attorney Johns (Connecticut)
Very interesting article. Out of curiosity, how does Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1080 (9th Cir. 2007) interact with your method. Is it that your model includes the client making his own request, which is merely forwarded to the provider by the attorney’s office?
Thank you so much for this post, Attorney Paletta! I have the same exact question as Jarrett. I read that case as well as Bocage v. Acton Corp._ 2018 U.S. Dist. and Rios v. Partners in Primary Care_ P.A._ 2019 U.S. Dist. I also looked at this link for guidance. LINK: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html My understanding is that it would be improper for the attorney to make a request, and that the patient should be the one making his or her own request instead of signing the request of the attorney. My understanding was also that the client’s own request could be forwarded to the provider by the attorney’s office.
Thank you for your comment and questions.
QUESTION 1. “How does Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1080 (9th Cir. 2007) interact with your method. Is it that your model includes the client making his own request, which is merely forwarded to the provider by the attorney’s office?”
REPLY.
The Webb case does NOT apply to the Hitech requests. The Webb case is based upon the HIPAA Act which is a different federal law with a different legislative history than the HITECH Act. However, even if the case applied, the form and procedure I use conform to the ruling in Webb.
Both the HIPAA Act and the HITECH Act give patients the legal right to obtain copies of their medical records. The patient gets to choose which method to use for obtaining his/her medical records.
Clearly, the patient MUST sign a proper HITECH request in order to obtain his/her medical records. The legal right to obtain copies of medical records is held by the patient, not the attorney.
QUESTION 2. “My understanding is that it would be improper for the attorney to make a request, and that the patient should be the one making his or her own request instead of signing the request of the attorney.”
REPLY. I agree. Please see the Request Form provided above. The patient MUST sign the HITECH request form.
QUESTION 3. “My understanding was also that the client’s own request could be forwarded to the provider by the attorney’s office.”
REPLY. I agree.
Federal law specifically recognizes the patient’s right to direct the covered entity to send the medical records to a designated person. See 42 USC 17935 (e) (1) quoted above. Clearly, (e) (1) means the patient can tell the provider to send medical records to the attorney.
A few records providers have taken the position that the HITECH request must physically come from the patient. I disagree and believe those providers are in direct violation of 42 USC 17935 (e) (1).