HITECH Act Medical Records Fee: Getting Records Cheaply Using the HITECH Act

Stop paying hundreds of dollars for your own medical records and use the HITECH Act to get records for less than $10.

By: Matt Wetherington and Sarah Quinn

The Health Information Technology for Economic and Clinical Health Act (HITECH ACT) was a part of the American Recovery and Reinvestment Act signed in February 2009 during the Obama administration. It introduced several changes to the HIPAA Privacy Rule, including increased penalties for health care providers for violations of HIPAA Rules and changes to the requirements for breach notifications by covered entities.

The ultimate goal of the HITECH Act is to better serve patients by encouraging medical providers to invest in progressive health information technology. The Act encourages health care providers to use electronic health records (EHR), giving patients more ease of access to their protected health information, thus empowering them to be advocates of their own health.

The Office for Civil Rights, Department of Health and Human Services, is in charge of implementing and carrying out the goals of HITECH. Covered entities can charge for providing medical records while adhering to restrictions on costs, including the prohibition against charging for searching or retrieving records.

What is a HITECH Request?

A HITECH request refers to a patient’s request for their healthcare records under the provisions of the HITECH Act. This act encourages the use of EHR by healthcare providers and allows patients to request an electronic copy of their health records at a reasonable cost. The process involves submitting a formal request to the healthcare provider specifying that the request is made under the HITECH Act and often specifying the desired format and method of delivery. This enables patients to obtain their health records electronically, potentially at a lower cost and with faster response times than traditional paper-based requests.

The HITECH Act promotes the concept of electronic health records-meaningful use (EHR-MU). Meaningful use is illustrated by the use of certified electronic health record technology that’s connected in a way that improves the quality of care for patients. There are “5 pillars” of the meaningful use concept which include: improving quality, safety, efficiency, and reducing health disparities; engaging patients and families in their health; improving care coordination; improving public health; and ensuring adequate privacy and security protection for personal health information.

Legal Rights to Access Records

The Privacy Rule, pursuant to 45 C.F.R. § 164.524(a)(1), grants individuals the legal right of access to obtain their protected health information in a “designated record set.” A designated record set includes the medical and billing records of an individual. The important thing to note is that a client’s designated record set is not limited to just the medical records, and it does not exclude things like imaging studies. It includes imaging and itemized billing. It is still reasonable to specifically request a copy of the billing records, as some healthcare providers often have separate billing departments.

Pursuant to 42 U.S.C. § 17935(e), individuals have the right to obtain a copy of their protected health information in electronic format and may designate the records be sent to an entity or personal representative of their choosing. Furthermore, the only fees that can be charged are cost-based fees for labor for the production of the responsive protected health information.

How to Request Medical Records Using HITECH Act

To obtain medical records using the HITE Act, follow these steps:

1. Submit a Written Request: Address your request to the healthcare’s records department. Specify that you are requesting the records under the HITECH Act and that you prefer electronic copies.
2. Include Essential Information: Provide your full name, date of birth, social security number (if), and any specific dates of service if you are only requesting records for certain visits.
3. Specify Format and Delivery Method: Indicate your preference for the format of the electronic records and the delivery method, such as via email, CD, or USB drive.
4. State Purpose if Necessary: If required, mention the purpose of your request, which can facilitate the processing of your records.
5. Acknowledge Fee Understanding: Acknowledge your understanding that there could be a reasonable, cost-based fee associated with the retrieval, copying, and mailing of the electronic medical records, though it is typically lower than the cost of paper records.
6. Sign the Request: Ensure that you sign the request to validate it. If you are requesting records for someone else, you may need to provide proof of your authority to make such a request (e.g., power of attorney, guardianship documents).
7. Follow Up: If you haven’t received your records within 30 days of your request, follow up with the healthcare provider. The HITECH Act requires providers to comply within 30 days, with a possible one-time extension of 30 additional days.

Sample HITECH Request Form/Letter

The inquiry process is basically identical to using a HIPAA request; one should still call the provider to find out how they process requests prior to sending the letter. The only difference is to ask the provider how the client can request their own medical records, not how the law firm can request them. Beware of getting directed to the “legal department” when calling larger facilities as the fax numbers and addresses they give are usually specifically for law firms, and the HITECH Act does not apply to requests that come from law firms. Here is a sample HITECH request form/letter for download.

When a written request is submitted to a healthcare provider, such entity must comply with the following “implementation specifications” pursuant to 45 C.F.R. § §164.524(c)(1-4):

• The healthcare entity must provide the access requested and need only produce it once,
• The healthcare entity must provide the records in the form of access requested by the individual.
• The healthcare entity must provide them in a timely manner (no later than 30 days after receipt of the request).
• The healthcare entity must comply with the cost-based fee structure.

The cost-based fees that can be charged are only the following:

1. Labor for copying.
2. Supplies for creating the paper or electronic media.
3. Postage for mailing.
4. Preparing an explanation or summary of the protected health information.

Under these Rules, an individual should be able to obtain their electronic medical records at a low cost within 30 days of the request. These costs can include various labor expenses related to fulfilling the request, but other costs like search and retrieval fees are not permissible under HIPAA regulations.

One reason for requesting records in electronic format, other than the fact that the HITECH applies to records in electronic format, is to eliminate additional charges that healthcare providers will likely try to ascribe. If it’s not specified that the client wants their records electronically, the provider almost always goes with paper format, even if their records are kept electronically, because they can charge more that way. 

However, under the HITECH Act, they must comply with the fee structure pursuant to 45 CFR 164.524(c)(4) or they are violating HIPAA. If the records are requested via fax or email, this also eliminates any fees for supplies for CDs and any postage associated with sending the records by mail.

If a medical provider does not contain their medical records electronically, they must still produce the records in the format requested by the individual. They can do this easily by scanning the paper copies into .pdf format. Many larger healthcare providers don’t waste their time calculating actual cost-based labor fees, and instead, they charge a flat rate of $6.50 suggested by The Office for Civil Rights, Department of Health and Human Services (“Individuals’ Right under HIPAA to Access their Health Information,” 2016). This is the most ideal outcome, but not necessarily the most likely.

HITECH Act Medical Records Fee

While getting medical records for under ten dollars sounds great, it is not necessarily always that simple. There may be some pushback associated with using this method to obtain medical records. It stems mostly from smaller providers that have never even heard of the HITECH Act and simply charge the fee structure their entity uses for everyone, usually state-mandated. 

There is typically a basic fee or a retrieval fee that is usually over twenty dollars, a per page copy fee, a shipping or mailing fee, and sometimes even sales tax. These fees are not compliant with the Privacy Rule’s cost-based fees for labor. Firms must be prepared to expect this rebuff when using the letter, especially from local or smaller providers. Larger hospital systems are generally charging the flat rate fee of $6.50. Without the “HITECH letter”, and with providers charging the basic fee, they could charge $25.00 for literally one page of electronic records.

More than likely, sending a “HITECH letter” will involve disputing an invoice. This will usually involve contesting the basic retrieval fee and a high per page copy fee. While this may be easier for them than calculating the actual labor associated with processing the request, it constitutes a HIPAA violation for them to charge these amounts without any true calculation of labor. Many times, the conversation may involve asking them to itemize how they came to the actual cost, and most times they can’t. 

The retrieval fee and the per page fee are not determined by the cost of labor. If firms aren’t getting paper copies, there shouldn’t be much labor involved in producing records via fax or email. Be prepared to call the custodian of records to have them send a corrected invoice that is compliant with the HIPAA regulated fee structure. Some providers often try to avoid providing an updated invoice as it “takes up more of their time.” However, the provider may come back and say the firm is delinquent on a payment down the line, so be certain to obtain the corrected invoice.

Dealing with Pushback

Another example of a pushback is that “the request came from an attorney’s office

This argument, hopefully, is not typical for many firms. If they suspect it came from an attorney’s office, this will get the request denied as the HITECH Act does not apply to requests from law firms. However, if one gets this rebuttal from a healthcare provider, there is not much that can be done on their end to prove that it came from an attorney. The letter itself is signed by the client, and the client likely reviewed the language of the letter and approved it when signing all the documents to retain the attorney.

At the end of the day, as a client’s “personal representative” it’s imperative to obtain a copy of their PHI. It shouldn’t matter where it is faxed or mailed from. Some ways to avoid this include removing any legal jargon in the letter such as citing the Rule, and don’t use the firm’s letterhead. The letter needs to appear as though coming directly from the client. No client is going to use phrasing like “Pursuant to…” so keep it short and simple, similar to the aforementioned example.

Many healthcare providers may try to limit the type of records that are considered part of a designated record set. They typically claim that imaging films are not included in this set. However, as previously mentioned, this is not the case. An individual is entitled by law to their complete medical record, which includes their imaging studies, as they are already electronic.

Handling Disputes

Some firms may choose to dispute invoices in writing, and some covered entities require it. A sample letter may look something like the following: This firm represents your patient who requested their own complete medical records and billing records from your facility and asked that the invoice be sent to our firm on _. We are in receipt of your invoice in the amount of. Pursuant to 45 C.F.R. § 164.524(a)(1), an individual has the legal right to access their own medical records in electronic format and have them sent to their personal representative.

In addition, this Rule states that only reasonable, cost-based fees for the labor associated with production are acceptable fees to charge that individual pursuant to 45 C.F.R. 164.524(c)(4). This cost may not include a search or retrieval fee. This fee may only include labor, postage, supplies, and/or a fee for the summary or explanation of the protected health information.

Please provide our firm with an updated invoice that reflects the actual costs of labor not to exceed $6.50. If you have any questions or concerns, please do not hesitate to contact me directly to discuss this further. Thank you for your assistance, and I look forward to hearing from you. Some providers become very angry when they are challenged regarding their normal fees. Many will threaten to withhold the records for as long as possible. As previously stated, by law they must produce the records within 30 days.

However, if someone is giving this much hassle and is threatening to withhold the client’s records intentionally, it might be reasonable to ask to speak to a supervisor. If this leads to an angrier custodian or a dial tone after a hang-up, call back to let them know about the potential to file a complaint with the Office for Civil Rights, Department of Health & Human Services. When they realize that their acts may be punishable by law, they will usually go ahead and produce the records timely. Not complying with the Privacy rule can result in penalty fines for which they are directly liable.

It goes without saying that no matter how disgruntled an employee at a provider’s office may become, it is important to remain professional and courteous. It is not unthinkable that some may curse, hang up, yell or even make up stories as to why the fees they charged are correct. They really get creative with how to subvert the HITECH and validate charging their patients an arm and a leg for their own records.

Contact Our Medical Malpractice Attorney

Caveats to Using the HITECH Letter

There are some caveats to using the “HITECH letter” to obtain medical records cheaply. The first is that medical providers only need to provide a patient’s designated record set once. If a firm requests their clients’ protected health information, or complete medical records, and it’s provided, the provider has no obligation to send the same health records if another request is submitted for the same client in the future. That is why, in some cases, it might be better to wait until a client is done treating before submitting a “HITECH request.”

The second is that they can charge more than the flat rate. In some cases, as long as the costs are reasonable, and the records are in electronic format, the provider may calculate actual labor costs that exceed the flat rate of $6.50. They may also charge a certification fee which is usually around $10.00. Some states, like Georgia, cap the certification fee to a certain amount. For example, Georgia’s is $9.70.

To reiterate, it is not necessary to send a HIPAA authorization with the HITECH letter. It appears as though it is coming from a law firm or similar entity. When this happens, a medical provider can deny the “HITECH request” and charge state-mandated fees for a copy of the records. Be cautious if they state they also need a HIPAA authorization to process the request.

Lastly, there are only two categories of protected health information excluded under the Privacy Rule. These include: 1) psychotherapy notes, the personal notes of a mental health care provider; and 2) information collected for use in a civil, criminal, or administrative action or proceeding.

Furthermore, there are limited circumstances that constitute grounds for denial. They include the following: 1) the request is for psychotherapy notes; 2) the request comes from an inmate at a correctional institution and providing it would jeopardize their health or safety; 3) the PHI is part of a research study still in progress; 4) the requested records are in Privacy Act protected records; 5) the requested records were obtained by someone other than a healthcare provider. However, if the healthcare provider denies access to part or all of the protected health information, they must do so in writing.

Conclusion

In closing, becoming familiar with the Privacy Rule and how the HITECH Act helps enforce it is integral to ensuring law firms are receiving the most reasonable cost for the protected health information of their clients. The real challenge is being able to courteously contest invoices to make sure that healthcare providers are compliant with the fee structure of the Privacy Rule and aren’t overcharging individuals for the protected health information and violating HIPAA.

Realistically, if all firms begin requesting records using the “HITECH letter,” then providers will become accustomed to its usage, and there will be less of a need to dispute invoices for medical records. In time, all clients’ medical records and bills will be affordable in electronic format, which is the ultimate goal of the HITECH Act.

Contact Our Medical Malpractice Attorney

Fancy things to cite in your dispute letters:

(2015). Notice of Proposed Rulemaking to Implement HITECH Act Modifications. Office for Civil Rights. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/guidance/proposed-rulemaking-to-implement-hitech-act-modifications/index.html

(2016). Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524. Office for Civil Rights. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs%fillpartend%

(2017). Meaningful Use. Centers for Disease Control and Prevention. Retrieved from https://www.cdc.gov/ehrmeaningfuluse/introduction.html

42 U.S. Code § 17935- Restrictions on Certain Disclosures and Sales of Health Information; Accounting of Certain Protected Health Information Disclosures; Access to Certain Information in Electronic Format. Cornell Law School. Retrieved from https://www.law.cornell.edu/uscode/text/42/17935

45 CFR 164.524 – Access of Individuals to Protected Health Information. Cornell Law School. Retrieved from https://www.law.cornell.edu/cfr/text/45/164.524

What is the HITECH Act? HIPAA Journal. Retrieved from https://www.hipaajournal.com/what-is-the-hitech-act/

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records? HIPAA Journal.