Top 10 Rules For Requesting Low-Cost Medical Records Under HITECH/HIPAA

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH modified the Health Insurance Portability and Accountability of 1996 Act (HIPAA) regulations administered by the Department of Health and Human Services (DHHS). One of the goals of HITECH

Top 10 Rules For Requesting Low-Cost Medical Records Under HITECH/HIPAA

ByRodger J Leslie, PhD, JD.


Published on February 22, 2018


Updated onApril 27, 2022

Top 10 Rules For Requesting Low-Cost Medical Records Under HITECH/HIPAA

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH modified the Health Insurance Portability and Accountability of 1996 Act (HIPAA) regulations administered by the Department of Health and Human Services (DHHS).

One of the goals of HITECH was to expand individuals’ rights to receive electronic copies of their health information. To this end, HITECH knocks down barriers between patients and their medical records. The Act provides simplified methods for patients to request their health records through a simple patient’s letter, lower costs to patients for their personal health records, and a complaint process for patients who have been denied easy access to their health records.

In 2013, we received a bill for about $6,800 for a single file of records, which was about $1 per page. We complained to DHHS’s Office of Civil Rights that a per-page charge for a single electronic file was neither reasonable nor cost-based under the low-cost provisions of the HITECH Act and HIPAA regulations. DHHS responded and advised the hospital of its duty to limit charges to individuals requesting records. DHHS advised the hospital that a flat rate fee for electronic records should be limited to a maximum of $6.50.

To ensure you can access client’s records for a reasonable cost, we’ve compiled the top 10 rules to follow using the HITECH/HIPAA individual’s letter. Following these suggestions will help you preserve your client’s right to low-cost medical records.

1) Knock Down Barriers

The legislative intent of the low-cost medical records provisions via the HITECH Act was to knock down barriers between patients and their medical records. All other HIPAA rules regarding an individual’s request for records flow from this simple statement of intent. Overcharging for records violates the HIPAA regulations because inordinately high costs place a barrier between patients and their records. A hospital that requires the patient to pick up the records at the hospital for verification purposes places a barrier because not every patient lives near the hospital. A hospital that asks unnecessary questions on its records form places a barrier for patients who may be discouraged by complex forms. An individual who is incompetent may have a personal representative sign the letter because not everyone can write or sign a letter.

2) Keep The Individual’s Letter Simple

First, the individual’s letter must be in writing. The letter also must clearly designate the recipient of the records. Finally, the individual must sign it (HITECH Act, 42 CFR §17935(e)). This is all—keep it simple. Do not put the letter on an attorney’s letterhead nor should attorneys sign the letter. Attorneys also should not include their own letter to the covered entity with the individual’s letter. However, the attorney may fax the individual’s letter from their office on behalf of their client.

Do not put complex legal theories or citations to cases, statutes, or regulations in the individual’s letter. Complexity is unnecessary and it may negate the low-cost provisions of the HITECH Act. If the covered entity does not provide the records as requested, the attorney can always write a follow-up letter notifying the covered entity of its violation of HIPAA regulations and the attorney’s intent to file a complaint with the Department of Health and Human Services, Office of Civil Rights.

3) Charges are Limited to Actual Labor Costs of the Health Care Provider

Cost-based fees (45 CFR 164.524(c)), the allowed charges under the HIPAA regulations, are for the costs of the covered entity including labor, supplies, and postage. However, this does not include the cost incurred by Business Associates such as HealthPort, IOD, or CIOX. The covered entity is responsible for the costs of outsourcing their medical records to a business associate. If the business associate charges the individual for its labor costs, that is the prohibited sale of protected health information under the HITECH Act (42 USC §17935(d)) and HIPAA regulations (45 CFR 164.502(a)(5)(ii)).

4) Actual Costs May Differ Between Digital and Paper Records

Cost calculation is on a case-by-case basis. These costs can vary depending on the record format—paper form or electronic form.

5) Page Charges Are Not Reasonable For Electronic Records

For records maintained in electronic format, page charges are not reasonable under HIPAA regulations. The charges allowed are just for the labor to transfer the records to electronic media (CD, thumb drive) and postage to send that to the individual or the designee. In the earlier example, DHHS investigators determined that $6.50 was a reasonable fee for transferring electronic records to a CD and sending them to the individual. DHHS considers $6.50 as the reasonable flat fee for electronic records on CD. Alternatively, the covered entity may charge a different fee if they keep time records for the labor in responding to each individual’s request or if they determine a statistically significant average cost for providing the records.

6) Higher Cost May Apply to Records Maintained on Paper Only

For records maintained in paper format, the covered entity may charge the actual labor of scanning the records into electronic format. In this circumstance, the entity will still use the cost-based fee analysis under HIPAA. For copied or scanned individual pages, page fees may be appropriate. For requests to convert electronic records to a paper format, the page charge may also apply. State fees are typically higher than those allowed by HIPAA. One exception may be California where the charge is $0.25 per page.

If the individual requests records in electronic format and the covered entity maintains paper records, the covered entity must scan the paper records into the requested electronic format. However, the covered entity does not need to buy a scanner to comply with this rule.

As electronic records become more commonly used, hopefully, there will be decreasing usage of paper records. Currently, EPIC software claims it maintains 54% of American patients’ medical records.

7) Individuals May Designate Any Third Party

The individual can designate any third party (including attorneys) to receive the records. The designee has all the same rights to low-cost records as the individual. There is no special rule for attorney designees. The misconception that attorneys cannot be a designee arises from misreading of the Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1080 (9th Cir. 2007) case in which the 9th Circuit court held that a third party authorization did not qualify for low-cost medical records under the HIPAA regulations. Here, the third-party happened to be an attorney. The request had to be from the individual.

The Webb Court described that the attorney could assist the individual in getting their records. “Our holding, however, in no way precludes attorneys from assisting their clients in accessing and obtaining their medical records without triggering the hefty fees.” Id. at 1089. Webb holds that an individual’s letter to receive medical records may designate attorneys.

“We, therefore, echo the concurrence in Bugarin by emphasizing that in affirming the district court’s judgment, we only uphold the ability of copying services to charge higher rates when the attorney makes the request on behalf of his or her client than when the patient/ client makes the request directly…. [We do] not address such presumably common scenarios in which the client signs the request and asks the documents to be sent to the attorney….”


The later statutory provisions of the HITECH Act, 42 USC 17935(e) allowing individuals to designate any third party to receive the records are consistent with the Webb decision.

8) A Representative of an Incompetent Individual May Sign a Records Request

A representative of the deceased or incompetent individual may avail themselves of the cost-based fees of HIPAA on their behalf. Applicable state law determines the personal representative. The representative has all the rights of the individual. This includes the right to designate any 3rd party to receive the records at a low cost.

9) An Individual Does Not Need To Sign a Third Party Authorization

Covered entities or their business associates may not require the individual to sign a HIPAA third-party authorization. An individual no longer needs the authorization used for the past 20 years to get their own records. 45 CFR §164.524 and the HITECH Act covers the individual’s letter (first-party). Further, 45 CFR §164.508 covers the HIPAA third-party authorization.

10) The Individual is Entitled to All Records With Few Exceptions

The individual is entitled to receive all documents in the designated record set. This includes all records that the covered entity uses to make decisions about individuals. That includes billing records, x-rays and film, and audit trails.

It may be easier to remember the limited exceptions to the records that must be produced. The covered entity can withhold psychiatric notes and documents prepared for litigation or quality control. However, even these exceptions are limited. The exception for psychiatric notes does not apply to a psychiatric consult note in a hospital record. This applies specifically to the notes taken by a psychologist or psychiatrist during a patient’s counseling session.

About the author

Rodger J Leslie, PhD, JD.

Rodger J Leslie, PhD, JD.

Roger J. Leslie, Ph.D., J.D., is biomedical research consultant and a plaintiff attorney for cases involving medical negligence, nursing home negligence, wrongful death, and other personal injury matters.

background image

Subscribe to our newsletter

Join our newsletter to stay up to date on legal news, insights and product updates from Expert Institute.