The HITECH Guide

I’m trying to reach 200 reviews on Google. If this guide has helped you save money on medical records, I would really appreciate a five star review: https://goo.gl/0GeBIs

If you need to refer a personal injury case—or need local counsel—consider referring to us. We pay standard referral fees where State Bar rules allow. More info here: https://thelockefirm.com/attorney-referrals/


Ryan Locke’s guide to getting medical records for cheap 2.0

(What’s old is new again)

January 6, 2022 update: One year later and not much has happened with HHS’s proposed rule making. The Department extended the notice and comment period to May 6, 2021, but has not published anything related to this rule since then. Hopefully we’ll see movement soon!


Last updated January 25, 2021.

**The comment period for HHS’s notice of proposed rulemaking is open until March 22, 2021. Leave a comment about how the HITECH Act helps your clients.

Heraclitus, the Greek philosopher, said change is the only constant in life. That’s very much true with the law concerning requesting a client’s medical records. Before this year, a client could request his medical records and have them sent to his lawyer and the request was subject to a fee limitation under HITECH. In late January 2020, the Azar decision removed the fee limitation for third-party directives (when the client wants the records sent to someone else). The other protections of HITECH remained, but medical record companies quickly went back to charging a per page rate. In May 2020, HHS published rule making in the Federal Register about the 21st Century Cures Act, a 2016 law that amended portions of the HITECH Act, which signaled that HHS still considered cheap and easy patient access to medical records a priority, but did not fix the problem created by Azar.

But what’s old is new!

HHS published a notice of proposed rulemaking in mid-December 2020 that reinstates the fee limitation for third-party directive HITECH requests and shortens the time for providers to produce the records to 15 days. This rule will likely take effect in the second half of 2021.

So what's the current law and how can you get medical records for cheap again?

HITECH requests are still available--so long as the client designates you as his personal representative

The HIPAA Privacy rule has always required covered entities (medical providers and their business associates) to treat an individual's personal representative as the individual with respect to their protected health information. 45 CFR § 164.502(g). The personal representative "stands in the shoes" of the individual and can authorize disclosures of the individual's protected health information. This means that if your client designates you as his or her personal representative, you can submit a HITECH request on their behalf, pay for the records, and receive them--all while gaining the benefit of the HITECH fee limitation because you are standing in the shoes of the client.

I have my clients sign an authorization that says:

"Under 45 CFR 164.502(g), I designate Locke Law Firm as my personal representative for the purpose of disclosure of my protected health information from a covered entity or business associate as defined in 45 CFR 160.103. This authorization remains valid for 2 years from the date of signature unless I revoke it in writing."

I include this authorization with a HITECH request that tells the provider to send the medical records to their personal representative--me! It looks like this:

2020-07-09_18-35-54.png

The 21st Century Cures Act doesn't apply to requesting records now, but it will help us in the future.

The Cures Act prohibits "information blocking," which essentially are practices that limit the availability and use of electronic health information. The Act prohibits rent-seeking, opportunistic fees, and exclusionary practices that interfere with the access, exchange, and use of electronic health information. But 45 CFR 171.302 contains exceptions to the Act's fee limitations. This regulation says that a company cannot charge fees for the electronic access of an individual's electronic health information by the individual, their personal representative, or another person or entity designated by the individual--but only when the information is requested where no manual effort is required to fulfill the request. 45 CFR §§ 171.302(b)(2) and (d). This means that when electronic health information is available through an API, or a patient portal, or a third-party app, companies can't charge the patient to access their own data. But it's no help for limiting the fees charged when we request medical records now. There is some very good language in the Federal Register about HHS's general thinking concerning patients having access to their own medical records, including: --"EHI should not be treated as a commodity that should be traded or sold. ONC takes this approach because we view patients as having an overwhelming interest in EHI about themselves, and because we understand that the true value of EHI can only be realized if it is available where and when it is needed, including providing electronic access to patients. Patients have already effectively paid for their health information, either directly or through their employers, health plans, and other entities that negotiate and purchase health care items and services on their behalf." 85 FR 25886 (May 1, 2020) --"We also emphasize that a majority of the EHI has been generated and recorded in the course of furnishing health care services paid with public dollars through Federal programs, including Medicare and Medicaid, or directly subsidized through the tax preferences for employer-based insurance. Yet, this EHI is not readily available when and were it is needed. We believe that the overwhelming benefits of publishing certified APIs that allow EHI from such technology to be accessed, exchanged, and used without special effort far outweigh the potential burden on [developers]." 85 FR 25761 (May 1, 2020).


How can I implement this? 

First, I’ll describe what’s different between HIPAA and HITECH requests. Then I’ll show you a HITECH request letter and our system for responding to objections about the HITECH letters. Everything I talk about you can download and immediately implement in your firm.

What’s different between HIPAA and HITECH requests?

The old way using HIPAA

Here’s how most lawyers request medical records: The lawyer sends a request to the medical provider with a HIPAA release. The medical provider prints out all the records and charges the statutory per page rate. The lawyer receives the paper records and dumps them into the physical file.

The old way invoice looks like this:

Image 12-9-17, 1-15 PM.4b4073b264dc4a9c9a04421476e5f070.jpeg

 

I was charged a “basic fee”—whatever that means—and the statutory per page fees, the shipping cost, and sales tax. The total is $143.12 for 119 pages of records.

The new way using HITECH

Here’s the new way to request medical records: The client signs an authorization making you his or her personal representative and a letter to the medical provider asking for his records. The lawyer fills out the provider information and sends it. The medical provider saves the records to a CD and charges the HITECH rate. The lawyer receives a CD with the medical records and it takes two seconds to save them to the electronic client file. They’ve also been exported from an electronic medical record system, so they’re natively searchable.

The HITECH invoice looks like this:

Image 12-9-17, 2-02 PM.3027f9ae33444439bbdbf20e7aa1d646.jpeg

 

I was charged $156.62 for 135 pages of records. After I called and complained, they adjusted it down to $7.08. 

HIPAA = $1.20 per page.

HITECH = $0.05 per page.

This HITECH stuff works

I’ve consulted with attorneys—and medical providers—across the country on HITECH requests. When done properly, these requests work.

Of course we use them ourselves, like here:

Screenshot 2018-10-11 10.10.51.png

But don’t take my word for it!

Here’s one where a records company was trying to charge a firm about $80 for records (including $24 for one page of billing).

Screenshot 2018-10-06 12.31.40.png

They followed the guide and here’s what happened:

Screenshot 2018-10-06 12.31.57.png

Here’s another one where the provider reduced to the HITECH rate just by reading this article.

Screenshot 2018-10-06 12.09.12.png

Here’s how to implement HITECH requests in your firm.


Our system to send HITECH letters and respond to objections from providers and medical records companies

The paperwork

We have the client sign two medical releases—a traditional HIPAA release and a HITECH request letter—and an authorization that appoints my firm as the client’s personal representative under 45 CFR 160.103. The HIPAA release is so that we can communicate with the provider, third-party collections or subrogation agency, etc. You’ll also need it if you send a discovery request or subpoena for records. Don’t address it to a provider—if you leave that field blank you can reuse it.

The HITECH request must be sent from the patient to the provider, but with the personal representative authorization we are standing in the shoes of the client. We still have the client sign a letter making the HITECH request and directing the provider to send the records to us. You’ll see that medical records and billing records are separately called out—we kept getting medical records without billing, so now we make it really clear that we want both. Just like the HIPAA release, we don’t address it to a provider so we can reuse it.

The letter looks like this:

2020-07-09_18-35-54.png

 

Here’s a copy of the letter in docx format.

Caveat for disability benefit attys: OCGA 31-33-3(a) makes medical records free if they’re for an application for a disability benefits program. (Thanks to reader Justin for pointing this out).

HITECH hijinks—Sample responses to baseless objections

(HHS has a pretty good Q&A page about the HITECH Act and how this all works--sometimes sending this link to a provider works well. This is the page: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)


The number one pushback you will get is that a personal representative cannot make a HITECH request for the client.

This is some cutting-edge stuff, so they will push back on it. Try sending them to HHS’s webpage about personal representatives (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html).

If that doesn’t work, file a complaint with the Office of Civil Rights immediately. They agree with our interpretation that a personal representative’s request is subject to the HITECH fee limitations, but it will take a while before the big medical record companies realize this.

Here are objections that used to come up all the time and responses to them. I’m keeping them here just in case but it seems like there isn’t much pushback around these areas (and there wasn’t in the leadup to Azar either).

They send you an invoice that bills per page.

RESPONSE: Under the HITECH Act, the fee that any covered entity may impose for providing a copy of electronic health records “shall not be greater than the entity’s labor costs” in responding to the request. 42 U.S.C. § 17935(e)(2). The regulations make clear that the costs are limited to labor, the cost of supplies, and postage. See 45 C.F.R. 164.524(c)(4)(i)-(iii). The US Department of Health & Human Services permit you to charge $6.50 as a flat rate or calculate the average or actual cost for provided these electronic records, whichever is most appropriate for the circumstances. However, the fees charged must be “withing the boundaries of what is permissible under the Privacy Rule.” See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/clarification-flat-rate-copy-fee/index.html.

COMMENTARY: This initial pushback takes care of the vast majority of illegal invoices, particularly when they’re sent by a third-party electronic health record company. Small providers who are producing the records themselves but don’t do it all the time—think a rural podiatrist or dentist—will usually require some educating. A tipoff is when they send you an invoice that makes no sense under state law or HITECH. I received an invoice from a rural provider once that was just a handwritten “$40 for records” on a fax cover sheet. A phone call to explain to the office what they can charge is usually enough, particularly when you tell them they can simply email the records to you.

But sometimes providers and records companies have very specific objections to your request. Here’s a list of the objections I’ve received and the responses that have worked. (If you get an objection that isn’t on this list, email me and I’ll add it—ryan@thelockefirm.com).

 

They give you some labor cost that’s really nuts.

RESPONSE: There are three ways a provider may choose from to determine the permitted labor charge-

1) Actual Cost

2) Average Cost

3) $6.50 flat rate.

See http-//www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/#newlyreleasedfaqs%fillpartend%

If this cost is based on the actual cost in producing the records, please provide the contact information of the employee who compiled the records, their record of time spent collecting these records, and the calculations you used to arrive at your actual cost. If this cost is based on the average cost in responding to this request, please provide your calculations for arriving at the average cost. 

If you would rather charge the flat rate, we will pay it.

COMMENTARY: I haven’t seen too much fight over the labor cost, but it is useful to point to the $6.50 flat rate. In the request letter I include language that pre-authorizes any charge under $20 but requires pre-approval for charges above that rate. This protects against gotcha billing.

 

They require you to submit a HIPAA release before they release the records to you.

RESPONSE: The Department of Health and Human Services has decided that a separate HIPAA authorization is not required under the HITECH Act. Federal Register Vol 78, No. 17, January 25, 2013, Pages 5634-35.

COMMENTARY: Usually we’ll send it to them, particularly since we’ll probably have to tell them to send the billing too. But if you don’t want to, or they’re trying to pull some bait and switch nonsense where they use the HIPAA release to “confirm” that it’s an attorney request, there’s the response.

 

They charge a “basic fee,” or a “retrieval fee,” or any type of cost that is not labor, postage, media, or certification.

RESPONSE: The fee that any covered entity may impose for providing a copy of e-health records “shall not be greater than the entity’s labor costs” in responding to the request. 42 U.S.C. § 17935(e)(2). The regulations make clear that the costs are limited to labor; the cost of supplies—in this case, the cost of a CD—; and postage. See 45 C.F.R. 164.524(c)(4)(i)-(iii). The Department of Health and Human Services has decided that “fees associated with maintaining systems and recouping capital for data access, storage, and infrastructure” cannot be charged to the patient, and this includes a “retrieval fee.” Federal Register Vol. 78, No. 17, January 25, 2013, Page 5636.

COMMENTARY: You will see this fee on every invoice, even if they send you one that they say is HITECH-compliant. 

 

They charge you Georgia sales tax on the whole thing.

RESPONSE: Georgia imposes tax on the retail sales price of tangible personal property, certain services, and charges that are necessary to complete the sale of taxable property. Most services are exempt from tax, including services related to record retrieval. O.C.G.A. §§ 48-8-2(31), 48-8-30(f)(1). Postage is subject to tax. O.C.G.A. § 48-8-2(34)(A). Please revise your tax calculations to only include the cost of the media and the postage.

COMMENTARY: Hey, I’m no tax lawyer, but the Georgia law seems pretty straightforward on this. (I'm located in Georgia, by the way, so if you're in a different state your mileage may vary). They can tax you for the media and the postage, but not for the labor cost. I usually include this one when I’m contesting the basic fee.

You cannot get the records certified; or, when you want the records certified you have to pay the per-page rate; or, certification costs more than the State rate.

RESPONSE: The Department of Health and Human Services has made clear that a patient may request a certified copy of his records under the HITECH Act, but the cost of preparing the affidavit is not subject to the fee limitations of HITECH. Federal Register Vol. 78, No. 17, January 25, 2013, Page 5636. Although federal law does not limit the cost of certifying the records, Georgia law does; the maximum fee that a provider may charge to certify records is $9.70. O.C.G.A. § 31-33-3; https://dch.georgia.gov/medical-records-retrieval-rates.

COMMENTARY: This response is a little nuanced, so it can be understandably confusing to non-lawyers. The idea is that HITECH specifically carves out certification fees from its scope, so we have to look to state law next. In Georgia, there is a statute that limits certification fees, so the provider can't charge more than what Georgia allows.

Thanks to Blade Thompson for the law for Alabama and Florida and Jay Foster for the Mississippi cite:

The maximum fee a notary public may charge in Alabama is $5. Ala. Code 36-20-74.

The maximum fee a notary public may charge in Florida is $10. Fla. Stat. 117.01.

The maximum fee a notary public may charge in Mississippi is $25. Miss. Code Ann. § 11-1-52(3). 

Imaging films are not subject to HITECH.

RESPONSE: Under the HITECH Act, an “electronic health record” means “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” 42 U.S.C. § 17921(5). When a covered entity “uses or maintains an electronic health record with respect to protected health information of an individual” then the individual has a right to obtain an electronic copy, to direct the provider to transmit the copy to the entity of his choice, and only be charged the covered entity’s labor cost in responding to the request. 42 U.S.C. § 17935(e). Regulations make clear that the costs are limited to the labor cost, the cost of supplies, and postage. 45 C.F.R. 164.524(c)(4)(i)-(iii). Because the imaging was created and gathered in an electronic format, it is subject to the HITECH Act. Please produce the imaging files on a CD.

COMMENTARY: All electronic medical records are covered by HITECH, and the definition for electronic medical record is very broad. Pretty much the only time records do not fall under the HITECH Act is when the records were created on paper and no one has scanned them. The only providers who still keep handwritten records in paper format seem to be small mom-and-pop-type practices in rural areas. I have yet to run across imaging that is not kept in an electronic format. If I do, it would almost certianly be worth paying full freight so I can wave a big-ass x-ray around the courtroom.

(3/22/2018 update): Apparently CIOX believes that HHS's 2013 rulemaking requires all medical records to be produced through HITECH, whether the records are electronic or not, because they said that in a complaint they filed against HHS. I'm not so sure, but then again I don't work at Kirkland Ellis like CIOX's lawyers--so maybe they are right.

Here's the language you could use with CIOX: Your company has taken the position that HHS requires "healthcare providers and their affiliates to fulfill patient requests to transfer their PHI directly to a third party regardless of whether the underlying PHI was or was not contained in an EHR." Complaint at ¶ 42, CIOX Health, LLC v. Hargan et al., (D.D.C. 2018) (Case No. 1:18-cv-00040-APM).

There are paper copies that could be scanned but the provider doesn't want to scan them.

RESPONSE: Where an individual requests an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual. 45 CFR 164.524(c)(2)(i). Please also see this guidance from HHS: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. I’ve attached screenshots of the pertinent parts:

requests for paper copies.PNG

and

fees for copies.PNG

COMMENTARY: The good news: They still have to scan them and send them to you electronically! But the bad news is that they can charge you the labor cost in scanning them. The labor cost has to be the actual labor cost and that the time has to be the actual time spent. 

They play word games about what a medical record is.

RESPONSE: HIPAA, as amended by the HITECH Act, requires that you produce your patient’s protected health information in the patient’s designated record set. HIPAA defines the “designated record set” as (1) the medical records and billing records about individuals maintained by or for a covered health care provider, and (2) the records used, in whole or in part, by or for the covered entity to make decisions about individuals. 45 CFR § 164.524(a). The Department of Health and Human Services’ Office of Civil Rights described the information you are required to produce as “medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or ‘SOAP’ notes … but not including psychotherapy notes …), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals….” https://www.hhs.gov/hipaa/for-professionals/faq/2042/what-personal-health-information-do-individuals/index.html.

COMMENTARY: Some medical providers will claim that some part of their records are not medical records. The records they’re required to produce—the designated record set—is quite expansive and includes pretty much anything used to make decisions about a patient’s care. Note that billing records are specifically included in this definition.

They claim that they don’t have to produce “information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”

RESPONSE: HIPAA, as amended by the HITECH Act, requires that you produce your patient’s protected health information in the patient’s designated record set. HIPAA defines the “designated record set” as (1) the medical records and billing records about individuals maintained by or for a covered health care provider, and (2) the records used, in whole or in part, by or for the covered entity to make decisions about individuals. 45 CFR § 164.524(a).

There are two categories of information that are excluded from the designated record set:

(1) Psychotherapy notes, 45 CFR 164.524(a)(1)(i) and 164.501; and

(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. 45 CFR 164.524(a)(1)(ii).

Thus, the designated record set is the patient’s medical record except for psychotherapy notes or information compiled for use in a court proceeding.

The fact that the designated record set does not include information compiled for use in a court proceeding has nothing to do with the purpose for requesting the designated record set. The anticipation of litigation exception applies to the designated record set, not the right of access. HIPAA expressly permits patients to request their designated record set—and have it be sent to a third party—for use in a court proceeding.

COMMENTARY: This objection is a new one and comes from providers conflating what is included in the record set with the purpose for requesting the record set. The patient's designated record set is essentially all the medical records except for psychotherapy notes and stuff prepared for court. This is completely different from why the patient is requesting the designated record set. The patient can be requesting it for court, to sue the doctor, to wallpaper their house, whatever. The medical provider still has to turn it over at the HITECH rate.

If they’re just not listening to reason.

RESPONSE: My client’s letter meets all legal requirements. By law, you must provide the records at a fee no greater than your labor costs. Additional fees are allowed for the cost of media and postage.

As you know, compliance with HIPAA (as amended by the HITECH Act) and regulations are enforced by Department of Health and Human Services’ Office of Civil Rights. In the event you fail to respond to this email or fail to comply with the HITECH Act, my client has authorized me to file a Complaint with the Office of Civil Rights and our state’s Attorney General. Both the medical provider and the third-party records company may be fined up to $1.5 million dollars for violating

Please provide me with an invoice that complies with the law and we will promptly pay it. 

If you disagree with my recitation of the HITECH Act and the regulations interpreting it, please forward my client's original HITECH Act Request, along with a copy of this email, to your general counsel's office. 

COMMENTARY:Sometimes you have to threaten to drop the hammer. A complaint can be filed with HHS’s Office of Civil Rights online: https://www.hhs.gov/hipaa/filing-a-complaint/index.html

The potential penalties are tiered depending on the covered entity’s culpability, set out in 42 USC § 1320d-5:

  • The covered entity or business associate did not know about reasonable should not have known of the violation

    • $100 - $50,000 per violation

  • The covered entity knew, or by exercising reasonable diligence would have known, that the act or omission was a violation

    • $1,000 - $50,000 per violation

  • The violation was a result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, but the covered entity or business associate corrected the violation within 30 days of discovery

    • $10,000 - $50,000 per violation

  • The violation was a result of conscious, intentional failure or reckless indifference and the covered entity or business associate DID NOT correct the violation within 30 days of discovery

    • At least $50,000 per violation

Each covered entity and business associate is limited to $1.5 million of fines each calendar year.

A covered entity will be liable for the violations of its business associate when they act as the covered entity’s agent. The agency relationship is goverend by federal law, which will find an agency relationship where the potential agent’s actions can be directed or controlled during the course of performance of its duties, regardless of whether actual direction or control occurrs. 45 CFR § 160.402(c).

ALSO, there is a right of enforcement through State Attorneys General and courts can award attorneys fees to the State. 42 USC § 1320d-5(d).

There is no private right of action under HIPAA. Dodd v. Jones, 623 F.3d 563, 569 (8th Cir. 2010).


I hope this guide to HITECH requests and responses has been useful. Please email me if you have suggestions for improvement (ryan@thelockefirm.com).

If you need to refer a personal injury case—or need local counsel—consider referring to us. We pay standard referral fees where State Bar rules allow. More info here: https://thelockefirm.com/attorney-referrals/