Top 10 Rules For Requesting Low-Cost Medical Records Under HITECH/HIPAA

    In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH modified the Health Insurance Portability and Accountability of 1996 Act (HIPAA) regulations administered by the Department of Health and Human Services (DHHS).

    One of the goals of HITECH was to expand individuals’ rights to receive electronic copies of their health information. To this end, HITECH knocks down barriers between patients and their medical records. The Act provides simplified methods for patients to request their health records through a simple patient’s letter, lower costs to patients for their personal health records, and a complaint process for patients who have been denied easy access to their health records.

    In 2013, we received a bill for about $6,800 for a single file of records, which was about $1 per page. We complained to DHHS’s Office of Civil Rights that a per-page charge for a single electronic file was neither reasonable nor cost-based under the low-cost provisions of the HITECH Act and HIPAA regulations. DHHS responded and advised the hospital of its duty to limit charges to individuals requesting records. DHHS advised the hospital that a flat rate fee for electronic records should be limited to a maximum of $6.50.

    To ensure you can access client’s records for a reasonable cost, we’ve compiled the top 10 rules to follow using the HITECH/HIPAA individual’s letter. Following these suggestions will help you preserve your client’s right to low-cost medical records.

    1. Knock Down Barriers

    The legislative intent of the low-cost medical records provisions via the HITECH Act was to knock down barriers between patients and their medical records. All other HIPAA rules regarding an individual’s request for records flow from this simple statement of intent. Overcharging for records violates the HIPAA regulations because inordinately high costs place a barrier between patients and their records. A hospital that requires the patient to pick up the records at the hospital for verification purposes places a barrier because not every patient lives near the hospital. A hospital that asks unnecessary questions on its records form places a barrier for patients who may be discouraged by complex forms. An individual who is incompetent may have a personal representative sign the letter because not everyone can write or sign a letter.

    2. Keep The Individual’s Letter Simple

    The individual’s letter must be in writing, clearly designate the recipient of the records, be signed by the individual. (HITECH Act, 42 CFR §17935(e)) and nothing morekeep it simple. Do not put the letter on an attorney’s letterhead nor should attorneys sign the letter. Attorneys also should not include their own letter to the covered entity with the individual’s letter. However, the attorney may fax the individual’s letter from their office on behalf of their client. Do not put complex legal theories or citations to cases, statutes, or regulations in the individual’s letter. Complexity is unnecessary and it may negate the low-cost provisions of the HITECH Act. If the covered entity does not provide the records as requested, the attorney can always write a follow-up letter notifying the covered entity of its violation of HIPAA regulations and the attorney’s intent to file a complaint with the Department of Health and Human Services, Office of Civil Rights.

    3. Charges are Limited to Actual Labor Costs of the Health Care Provider

    Cost-based fees (45 CFR 164.524(c)), the allowed charges under the HIPAA regulations, are for the costs of the covered entity including labor, supplies, and postage. However, this does not include the cost incurred by Business Associates such as HealthPort, IOD, or CIOX. The covered entity is responsible for the costs of outsourcing their medical records to a business associate. If the business associate charges the individual for its labor costs, that is the prohibited sale of protected health information under the HITECH Act (42 USC §17935(d)) and HIPAA regulations (45 CFR 164.502(a)(5)(ii)).

    4. Actual Costs May Differ Between Digital and Paper Records

    The costs can be calculated based on each covered entity’s costs and can vary depending on whether the records are maintained in paper form or electronic form.

    5. Page Charges Are Not Reasonable For Electronic Records

    For records maintained in electronic format, page charges are not reasonable under HIPAA regulations. The charges allowed are just for the labor to transfer the records to electronic media (CD, thumb drive) and postage to send that to the individual or the designee. In the earlier example, DHHS investigators determined that $6.50 was a reasonable fee for transferring electronic records to a CD and sending them to the individual or their designee. DHHS considers $6.50 as the reasonable flat fee for electronic records on CD. Alternatively, the covered entity may charge a different fee if they keep time records for the labor in responding to each individual’s request or if they determine a statistically significant average cost for providing the records.

    6. Higher Cost May Apply to Records Maintained on Paper Only

    For records maintained in paper format, the covered entity may charge the actual labor of scanning the records into electronic format. The cost-based fee analysis under HIPAA is still used in this circumstance. Page fees may be appropriate where individual pages are being copied or scanned in. If the individual requests that electronic records be produced in paper format, the page charge may apply. State fees are typically higher than those allowed by HIPAA. One exception may be California where the charge is $0.25 per page.

    If the individual requests records in electronic format and the covered entity maintains paper records, the covered entity must scan the paper records into the requested electronic format. However, the covered entity does not need to buy a scanner to comply with this rule.

    The hope is that as electronic records become more commonly used, there will be a pattern of decreasing usage of paper records. Currently, EPIC software claims the medical records of 54% of patients in the USA are maintained in the EPIC software.

    7. Individuals May Designate Any Third Party

    The individual can designate any third party (including attorneys) to receive the records. The designee has all the same rights to low-cost records as the individual.  There is no special rule for attorney designees. The misconception that attorneys cannot be a designee arises from misreading of the Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1080 (9th Cir. 2007) case in which the 9th Circuit court held that a third party authorization did not qualify for low-cost medical records under the HIPAA regulations. The third party in that case happened to be an attorney. The request had to be from the individual. The Webb Court described that the attorney could assist the individual in getting their records. “Our holding, however, in no way precludes attorneys from assisting their clients in accessing and obtaining their medical records without triggering the hefty fees.” Id. at 1089.  Webb holds that attorneys may be designated in the individual’s letter to receive the medical records.

    “We, therefore, echo the concurrence in Bugarin by emphasizing that in affirming the district court’s judgment, we only uphold the ability of copying services to charge higher rates when the attorney makes the request on behalf of his or her client than when the patient/ client makes the request directly…. [We do] not address such presumably common scenarios in which the client signs the request and asks the documents to be sent to the attorney….”


    The later statutory provisions of the HITECH Act, 42 USC 17935(e) allowing individuals to designate any third party to receive the records are consistent with the Webb decision.

    8. A Representative of an Incompetent Individual May Sign a Records Request

    A personal representative of a deceased individual or incompetent individual may avail themselves of the cost-based fees of HIPAA on behalf of the individual. The personal representative is determined under “applicable law” which usually means state law.  The personal representative has all the rights of the individual including the right to designate any 3rd party to receive the records at low cost.

    9. An Individual Does Not Need To Sign a Third Party Authorization

    Covered entities or their business associates may not require the individual to sign a HIPAA third-party authorization. The authorization used for the past 20 years is no longer needed for the individual to get their own records. The individual’s letter (first-party) is covered by 45 CFR §164.524 and the HITECH Act. The HIPAA 3rd party authorization is covered by 45 CFR §164.508.

    10. The Individual is Entitled to All Records With Few Exceptions

    The individual is entitled to receive all documents in the designated record set, which includes all records that the covered entity uses to make decisions about individuals. That includes billing records, x-rays and film, and audit trails.

    It may be easier to remember the limited exceptions to the records that must be produced.  The covered entity can withhold psychiatric notes and documents prepared for litigation or quality control. However, even these exceptions are limited. The exception for psychiatric notes does not apply to a psychiatric consult note in a hospital record. It is meant to apply specifically to the notes taken by a psychologist or psychiatrist during a patient’s counseling session.