I hope my guide has helped you save money on medical records.
If you need to refer a personal injury case—or need local counsel—consider referring to us. We pay standard referral fees where State Bar rules allow. More info here: https://thelockefirm.com/attorney-referrals/
A guide for attorneys who need to request medical records but don't want to pay hundreds of dollars for them.
A significant part of our pre-litigation effort is getting our client’s medical records. By using the following system, we keep our medical records costs down—and I mean really down. We rarely pay more than $10 per provider.
This system takes invoices like this:
And turns them into this:
First, I’ll describe what’s different between HIPAA and HITECH requests. Then I’ll show you a HITECH request letter and our system for responding to objections about the HITECH letters. Everything I talk about you can download and immediately implement in your firm.
What’s different between HIPAA and HITECH requests?
The old way using HIPAA
Here’s how most lawyers request medical records: The lawyer sends a request to the medical provider with a HIPAA release. The medical provider prints out all the records and charges the statutory per page rate. The lawyer receives the paper records and dumps them into the physical file.
The old way invoice looks like this:
I was charged a “basic fee”—whatever that means—and the statutory per page fees, the shipping cost, and sales tax. The total is $143.12 for 119 pages of records.
The new way using HITECH
Here’s the new way to request medical records: The client signs a letter to the medical provider asking for his records. The lawyer fills out the provider information and sends it. The medical provider saves the records to a CD and charges the HITECH rate. The lawyer receives a CD with the medical records and it takes two seconds to save them to the electronic client file. They’ve also been exported from an electronic medical record system, so they’re natively searchable.
The HITECH invoice looks like this:
I was charged $156.62 for 135 pages of records. After I called and complained, they adjusted it down to $7.08.
HIPAA = $1.20 per page.
HITECH = $0.05 per page.
This HITECH stuff works
I’ve consulted with attorneys—and medical providers—across the country on HITECH requests. When done properly, these requests work.
Of course we use them ourselves, like here:
But don’t take my word for it!
Here’s one where a records company was trying to charge a firm about $80 for records (including $24 for one page of billing).
They followed the guide and here’s what happened:
Here’s another one where the provider reduced to the HITECH rate just by reading this article.
Here’s how to implement HITECH requests in your firm.
Our system to send HITECH letters and respond to objections from providers and medical records companies
We have the client sign two medical releases: a traditional HIPAA release and a HITECH request letter. The HIPAA release is so that we can communicate with the provider, third-party collections or subrogation agency, etc. You’ll also need it if you send a discovery request or subpoena for records. Don’t address it to a provider—if you leave that field blank you can reuse it.
The HITECH request must be sent from the patient to the provider—it’ll get denied if the provider believes a lawyer sent it. We have the client sign a letter making the HITECH request and directing the provider to send the records to us. You’ll see that medical records and billing records are separately called out—we kept getting medical records without billing, so now we make it really clear that we want both. Just like the HIPAA release, we don’t address it to a provider so we can reuse it.
In 2017, we used a letter that looked like a lawyer wrote it—it had footnotes, citations to law, etc. We started getting a lot of pushback from providers and third-party medical records services, so now the letter is very simple and contains no legal citations.
It looks like this:
Sending it to the provider
We send the HITECH to the provider by fax or mail (you should call them--sometimes they won't accept requests by fax). We used to send it with the HIPAA release, but this made the request smell like it came from a lawyer, so now we don't. Some providers want us to fax a HIPAA release when we call to check up on the request, others don’t.
I’ve sent the HITECH request to the provider in an envelope with our law firm return address, with the client’s return address, and with the return address blank. It doesn’t seem to make a difference 99% of the time. My guess is that no one really looks at the envelope.
Contesting the invoice
I’d say 70% of the time we send a HITECH request we get billed under the HIPAA per page rate. We’ll also get charged a basic fee or research fee—usually around $27—and they’ll charge sales tax on the whole thing. All of this is illegal.
When we get an illegal invoice, my paralegal immediately sends an email or fax telling them to send us a proper invoice pursuant to HITECH. We use TextExpander shared with the team, so when one of us types “xHITECH” a box pops up with options to include in the response. Because we have canned responses for the most common violations, responding to an illegal invoice only takes a few seconds. The benefit of TextExpander is both speed and accuracy—I can edit the response and know that the exact language I want is being sent out each time. TextExpander is only on macOS; use PhraseExpress or something similar on Windows.
Here are the canned responses formatted for TextExpander. All of these responses are included in the next section.
We also have various pages from the Federal Register highlighted for common issues so we can include those with the email.
If you’d like to hear more about how we put all this together, listen to Ryan talk about using HITECH to get cheap medical records on Schenk Smith’s podcast.
HITECH hijinks—Sample responses to baseless objections
(HHS has a pretty good Q&A page about the HITECH Act and how this all works--sometimes sending this link to a provider works well. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)
They send you an invoice that bills per page.
RESPONSE: Under the HITECH Act, the fee that any covered entity may impose for providing a copy of electronic health records “shall not be greater than the entity’s labor costs” in responding to the request. 42 U.S.C. § 17935(e)(2). The regulations make clear that the costs are limited to labor, the cost of supplies, and postage. See 45 C.F.R. 164.524(c)(4)(i)-(iii).
COMMENTARY: This initial pushback takes care of the vast majority of illegal invoices, particularly when they’re sent by a third-party electronic health record company. Small providers who are producing the records themselves but don’t do it all the time—think a rural podiatrist or dentist—will usually require some educating. A tipoff is when they send you an invoice that makes no sense under state law or HITECH. I received an invoice from a rural provider once that was just a handwritten “$40 for records” on a fax cover sheet. A phone call to explain to the office what they can charge is usually enough, particularly when you tell them they can simply email the records to you.
But sometimes providers and records companies have very specific objections to your request. Here’s a list of the objections I’ve received and the responses that have worked. (If you get an objection that isn’t on this list, email me and I’ll add it—firstname.lastname@example.org).
They give you some labor cost that’s really nuts.
RESPONSE: There are three ways a provider may choose from to determine the permitted labor charge-
1) Actual Cost
2) Average Cost
3) $6.50 flat rate.
If this cost is based on the actual cost in producing the records, please provide the contact information of the employee who compiled the records, their record of time spent collecting these records, and the calculations you used to arrive at your actual cost. If this cost is based on the average cost in responding to this request, please provide your calculations for arriving at the average cost.
If you would rather charge the flat rate, we will pay it.
COMMENTARY: I haven’t seen too much fight over the labor cost, but it is useful to point to the $6.50 flat rate. In the request letter I include language that pre-authorizes any charge under $20 but requires pre-approval for charges above that rate. This protects against gotcha billing.
They require you to submit a HIPAA release before they release the records to you.
RESPONSE: The Department of Health and Human Services has decided that a separate HIPAA authorization is not required under the HITECH Act. Federal Register Vol 78, No. 17, January 25, 2013, Pages 5634-35.
COMMENTARY: Usually we’ll send it to them, particularly since we’ll probably have to tell them to send the billing too. But if you don’t want to, or they’re trying to pull some bait and switch nonsense where they use the HIPAA release to “confirm” that it’s an attorney request, there’s the response.
They charge a “basic fee,” or a “retrieval fee,” or any type of cost that is not labor, postage, media, or certification.
RESPONSE: The fee that any covered entity may impose for providing a copy of e-health records “shall not be greater than the entity’s labor costs” in responding to the request. 42 U.S.C. § 17935(e)(2). The regulations make clear that the costs are limited to labor; the cost of supplies—in this case, the cost of a CD—; and postage. See 45 C.F.R. 164.524(c)(4)(i)-(iii). The Department of Health and Human Services has decided that “fees associated with maintaining systems and recouping capital for data access, storage, and infrastructure” cannot be charged to the patient, and this includes a “retrieval fee.” Federal Register Vol. 78, No. 17, January 25, 2013, Page 5636.
COMMENTARY: You will see this fee on every invoice, even if they send you one that they say is HITECH-compliant.
They charge you Georgia sales tax on the whole thing.
RESPONSE: Georgia imposes tax on the retail sales price of tangible personal property, certain services, and charges that are necessary to complete the sale of taxable property. Most services are exempt from tax, including services related to record retrieval. O.C.G.A. §§ 48-8-2(31), 48-8-30(f)(1). Postage is subject to tax. O.C.G.A. § 48-8-2(34)(A). Please revise your tax calculations to only include the cost of the media and the postage.
COMMENTARY: Hey, I’m no tax lawyer, but the Georgia law seems pretty straightforward on this. (I'm located in Georgia, by the way, so if you're in a different state your mileage may vary). They can tax you for the media and the postage, but not for the labor cost. I usually include this one when I’m contesting the basic fee.
The patient request letter is actually an attorney letter.
RESPONSE: A patient may request his own medical records and ask that they be sent to a third party. The Department of Health and Human Services requires this type of request to be in writing, include the patient’s signature, and identify the person to whom the records are sent. Federal Register Vol. 78, No. 17, January 25, 2013, Page 5634. You were sent a letter, signed by your patient, directing you to send these records to me. Thus, this letter is a HITECH request and you are subject to that law’s cost-limiting provisions.
COMMENTARY: Every once in a while a provider or records company will argue that the letter is actually an attorney request. They’ll say because it was faxed from my office or the records are “obviously” going to be used in a legal case that it’s not a proper HITECH request. Fun arguments to make with them are: (1) How do you know the patient didn’t fax this to you using our machine? (2) If it’s sent in the mail, is it now a request from the US Postal Service instead of the patient? Do they now have to pay for the records (Tell me if they say yes to this). It’s all nonsense.
(3/22/2018 update) I've always treated this objection with derision because it's just not supported in the law. Apparently CIOX agrees with me, becuase they filed a complaint in the US District Court for DC against HHS for declaratory and injunctive relief. CIOX believes that HHS exceeded their rulemaking authority with the 2013 rulemaking about HITECH (the stuff from the Federal Register that's linked above). One of their arguments is the same one here: that the "Patient Rate" established by HIPAA and HITECH were never meant to apply to "for-profit commercial businesses." Paragraph 42 of the complaint has the best language:
You could include this language in any pushback with CIOX: Your company has taken the position that HHS requires "healthcare providers and their affiliates to fulfill patient requests to transfer their PHI directly to a third party regardless of whether the underlying PHI was or was not contained in an EHR." Complaint at ¶ 42, CIOX Health, LLC v. Azar et al., (D.D.C. 2018) (Case No. 1:18-cv-00040-APM).
(4/24/2018 update): HHS has filed a motion to dismiss in the case and included some useful language:
This can be cited as Defendant's Motion to Dismiss at p. 6, CIOX Health, LLC v. Azar et al., (D.D.C. 2018) (Case No. 1:18-cv-00040-APM). Here's a copy of the motion.
(10/20/2018 update): Ciox and HHS have filed cross motions for summary judgment and there’s some good language in these new filings.
Ciox’s Combined Reply Memorandum in Support of its Motion for Summary Judgment and in Opposition to Defendants’ Cross-Motion for Summary Judgment spends most of its time on its Administrative Procedures Act arguments.
The most exciting thing for us is that Ciox agrees that HITECH’s Third Party Directive requires covered entities to send electronic health records to third parties at the patient’s request on page 7:
In HHS’s Memorandum in Support of Defendants’ Opposition to Plaintiff’s Motion for Summary Judgment and Cross-Motion for Summary Judgment, the government describes the 2013 changes to the Privacy Rule starting at page 7.
Here’s language confirming that HHS intended for the HITECH rates to apply when PHI is sent to third parties:
Most of the brief is about the Administrative Procedures Act and whether the rule making was proper, is entitled to Chevron deference, etc. HHS gets back to individual requests to send PHI to third parties at page 27:
HHS explains why retrieval costs cannot be charged to an individual at page 30:
HHS also talks about how covered entities can calculate reasonable, cost-based fees. The important point is that covered entities are not limited by the three ways to calculate reasonable fees that HHS suggests (actual costs, average costs, or a flat-rate fee). But a per-page fee will always be unreasonable. Here’s that part at page 33:
The citation is CIOX Health, LLC v. Azar et al., (D.D.C. 2018) (Case No. 1:18-cv-00040-APM).
You cannot get the records certified; or, when you want the records certified you have to pay the per-page rate; or, certification costs more than the State rate.
RESPONSE: The Department of Health and Human Services has made clear that a patient may request a certified copy of his records under the HITECH Act, but the cost of preparing the affidavit is not subject to the fee limitations of HITECH. Federal Register Vol. 78, No. 17, January 25, 2013, Page 5636. Although federal law does not limit the cost of certifying the records, Georgia law does; the maximum fee that a provider may charge to certify records is $9.70. O.C.G.A. § 31-33-3; https://dch.georgia.gov/medical-records-retrieval-rates.
COMMENTARY: This response is a little nuanced, so it can be understandably confusing to non-lawyers. The idea is that HITECH specifically carves out certification fees from its scope, so we have to look to state law next. In Georgia, there is a statute that limits certification fees, so the provider can't charge more than what Georgia allows.
Thanks to Blade Thompson, here’s the law for Alabama and Florida:
The maximum fee a notary public may charge in Alabama is $5. Ala. Code 36-20-74.
The maximum fee a notary public may charge in Florida is $10. Fla. Stat. 117.01.
Imaging films are not subject to HITECH.
RESPONSE: Under the HITECH Act, an “electronic health record” means “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” 42 U.S.C. § 17921(5). When a covered entity “uses or maintains an electronic health record with respect to protected health information of an individual” then the individual has a right to obtain an electronic copy, to direct the provider to transmit the copy to the entity of his choice, and only be charged the covered entity’s labor cost in responding to the request. 42 U.S.C. § 17935(e). Regulations make clear that the costs are limited to the labor cost, the cost of supplies, and postage. 45 C.F.R. 164.524(c)(4)(i)-(iii). Because the imaging was created and gathered in an electronic format, it is subject to the HITECH Act. Please produce the imaging files on a CD.
COMMENTARY: All electronic medical records are covered by HITECH, and the definition for electronic medical record is very broad. Pretty much the only time records do not fall under the HITECH Act is when the records were created on paper and no one has scanned them. The only providers who still keep handwritten records in paper format seem to be small mom-and-pop-type practices in rural areas. I have yet to run across imaging that is not kept in an electronic format. If I do, it would almost certianly be worth paying full freight so I can wave a big-ass x-ray around the courtroom.
(3/22/2018 update): Apparently CIOX believes that HHS's 2013 rulemaking requires all medical records to be produced through HITECH, whether the records are electronic or not, because they said that in a complaint they filed against HHS. I'm not so sure, but then again I don't work at Kirkland Ellis like CIOX's lawyers--so maybe they are right.
Here's the language you could use with CIOX: Your company has taken the position that HHS requires "healthcare providers and their affiliates to fulfill patient requests to transfer their PHI directly to a third party regardless of whether the underlying PHI was or was not contained in an EHR." Complaint at ¶ 42, CIOX Health, LLC v. Hargan et al., (D.D.C. 2018) (Case No. 1:18-cv-00040-APM).
The HITECH Act requires a request by the patient for records to be released to them personally or to their personal representative, and Georgia requires a Healthcare Power of Attorney in order to be a personal representative.
RESPONSE: A patient may request his own medical records and ask that they be sent to a third party. The Department of Health and Human Services requires this type of request to be in writing, include the patient’s signature, and identify the person to whom the records are sent. Nothing else is required. The third party does not need to be a personal representative of the patient. Federal Register Vol. 78, No. 17, January 25, 2013, Page 5634.
COMMENTARY: This objection is conflating two things: who may make a HITECH request and who may receive records from a HITECH request. Only a patient or the patient’s personal representative may make a HITECH request. But anyone in the world can receive the records from a HITECH request.
There are paper copies that could be scanned but the provider doesn't want to scan them.
RESPONSE: Where an individual requests an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual. 45 CFR 164.524(c)(2)(i). Please also see this guidance from HHS: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. I’ve attached screenshots of the pertinent parts:
COMMENTARY: The good news: They still have to scan them and send them to you electronically! But the bad news is that they can charge you the labor cost in scanning them. The labor cost has to be the actual labor cost and that the time has to be the actual time spent.
They play word games about what a medical record is.
RESPONSE: HIPAA, as amended by the HITECH Act, requires that you produce your patient’s protected health information in the patient’s designated record set. HIPAA defines the “designated record set” as (1) the medical records and billing records about individuals maintained by or for a covered health care provider, and (2) the records used, in whole or in part, by or for the covered entity to make decisions about individuals. 45 CFR § 164.524(a). The Department of Health and Human Services’ Office of Civil Rights described the information you are required to produce as “medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or ‘SOAP’ notes … but not including psychotherapy notes …), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals….” https://www.hhs.gov/hipaa/for-professionals/faq/2042/what-personal-health-information-do-individuals/index.html.
COMMENTARY: Some medical providers will claim that some part of their records are not medical records. The records they’re required to produce—the designated record set—is quite expansive and includes pretty much anything used to make decisions about a patient’s care. Note that billing records are specifically included in this definition.
They claim that they don’t have to produce “information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”
RESPONSE: HIPAA, as amended by the HITECH Act, requires that you produce your patient’s protected health information in the patient’s designated record set. HIPAA defines the “designated record set” as (1) the medical records and billing records about individuals maintained by or for a covered health care provider, and (2) the records used, in whole or in part, by or for the covered entity to make decisions about individuals. 45 CFR § 164.524(a).
There are two categories of information that are excluded from the designated record set:
(1) Psychotherapy notes, 45 CFR 164.524(a)(1)(i) and 164.501; and
(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. 45 CFR 164.524(a)(1)(ii).
Thus, the designated record set is the patient’s medical record except for psychotherapy notes or information compiled for use in a court proceeding.
The fact that the designated record set does not include information compiled for use in a court proceeding has nothing to do with the purpose for requesting the designated record set. The anticipation of litigation exception applies to the designated record set, not the right of access. HIPAA expressly permits patients to request their designated record set—and have it be sent to a third party—for use in a court proceeding.
COMMENTARY: This objection is a new one and comes from providers conflating what is included in the record set with the purpose for requesting the record set. The patient's designated record set is essentially all the medical records except for psychotherapy notes and stuff prepared for court. This is completely different from why the patient is requesting the designated record set. The patient can be requesting it for court, to sue the doctor, to wallpaper their house, whatever. The medical provider still has to turn it over at the HITECH rate.
If they’re just not listening to reason.
RESPONSE: My client’s letter meets all legal requirements. By law, you must provide the records at a fee no greater than your labor costs. Additional fees are allowed for the cost of media and postage.
As you know, compliance with HIPAA (as amended by the HITECH Act) and regulations are enforced by Department of Health and Human Services’ Office of Civil Rights. In the event you fail to respond to this email or fail to comply with the HITECH Act, my client has authorized me to file a Complaint with the Office of Civil Rights and our state’s Attorney General. Both the medical provider and the third-party records company may be fined up to $1.5 million dollars for violating
Please provide me with an invoice that complies with the law and we will promptly pay it.
If you disagree with my recitation of the HITECH Act and the regulations interpreting it, please forward my client's original HITECH Act Request, along with a copy of this email, to your general counsel's office.
COMMENTARY:Sometimes you have to threaten to drop the hammer. A complaint can be filed with HHS’s Office of Civil Rights online: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
The potential penalties are tiered depending on the covered entity’s culpability, set out in 42 USC § 1320d-5:
The covered entity or business associate did not know about reasonable should not have known of the violation
$100 - $50,000 per violation
The covered entity knew, or by exercising reasonable diligence would have known, that the act or omission was a violation
$1,000 - $50,000 per violation
The violation was a result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, but the covered entity or business associate corrected the violation within 30 days of discovery
$10,000 - $50,000 per violation
The violation was a result of conscious, intentional failure or reckless indifference and the covered entity or business associate DID NOT correct the violation within 30 days of discovery
At least $50,000 per violation
Each covered entity and business associate is limited to $1.5 million of fines each calendar year.
A covered entity will be liable for the violations of its business associate when they act as the covered entity’s agent. The agency relationship is goverend by federal law, which will find an agency relationship where the potential agent’s actions can be directed or controlled during the course of performance of its duties, regardless of whether actual direction or control occurrs. 45 CFR § 160.402(c).
ALSO, there is a right of enforcement through State Attorneys General and courts can award attorneys fees to the State. 42 USC § 1320d-5(d).
There is no private right of action under HIPAA. Dodd v. Jones, 623 F.3d 563, 569 (8th Cir. 2010).
I hope this guide to HITECH requests and responses has been useful. Please email me if you have suggestions for improvement (email@example.com).
If you need to refer a personal injury case—or need local counsel—consider referring to us. We pay standard referral fees where State Bar rules allow. More info here: https://thelockefirm.com/attorney-referrals/