HIPAA, HITECH, and the Joys of Collecting Medical Records

Yeah, getting your medical records for your personal injury claim can be a nightmare.  But keep reading to learn how to get your records fast, and save money while you're at it!

Medical records.  I'll tell you right off the bat that collecting them can be arduous and often unpleasant.  There's a tangled mess of laws that you have to navigate in order to get them, and your medical providers are generally going to be very cautious of these laws, as well.  However, your medical records are spectacularly important to your personal injury claim.  Remember our article on damages?  Well, medical records are the cornerstone of your damages.  Without them, you really can't expect an insurance adjuster to just take you at your word.

Okay, so medical records are super important.  How do I get them?

This is where it can get a little tricky.  There are two federal laws that dictate the format and contents of a medical records request.  The first and better-known of these laws is called the Health Insurance Portability and Accountability Act, or as we often call it, "HIPAA."  While HIPAA encompasses a huge swath of regulations imposed upon medical providers, the one we're going to focus on today is known as the "Privacy Rule," codified at 45 CFR Part 160 and Subparts A and E of Part 164.  

The Privacy Rule basically functions to obligate health care providers (those that are covered by HIPAA, at least, which is the vast majority of them) to provide patients with access to their own protected health information (or "PHI") upon request.  This means that the patient can request a copy of his or her PHI personally, but it also means that the patient can direct the provider to forward the medical records to a designated third party.  You know, like your personal injury attorney?

So what information am I entitled to, exactly?  

The Privacy Rule contemplates the "designated record set" of your PHI.  This is going to include (i) medical and billing records (most common), (ii) enrollment, payment, claims adjudication, and case or medical management record systems maintained by a health plan, and (iii) any other record that the provider has used to make decisions about the patient.  This is going to include the bulk of your medical records; for purposes of your personal injury claim, all you're normally going to need are your actual medical bills and records.  Fun tip:  Remember when requesting your medical bills that North Carolina uses "billed versus paid," so make sure to request an itemized bill that doesn't include payments made by your health insurance provider.

There are a couple categories of information that are conspicuously excluded from the "designated record set."  These include psychotherapy notes that are maintained separate from the rest of the patient's medical record, as well as information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding.  This basically permits healthcare providers to implicate the "word product" protections that are normally reserved to attorneys and their staff.  I haven't written an article about work product yet, but I will soon.

What are the requirements for the request itself?

Hold on, because there are a bunch of 'em.  The first is that "covered entities," or healthcare providers, can require you to make your request in writing.  It's this attorney's experience that most providers exercise this right.  Secondly, providers can require a reasonable verification of the person making the request.  This requirement brings up an interesting point.  Whether or not you have a lawyer, the request for medical records, under HIPAA, has to come from you individually.  I can't just call up a doctor's office, for instance, and say, "Hey! I represent Gus Chiggins and he said for you to fork over his medical records."  It's my personal policy to have Gus sign a records request directing the provider to forward a copy of the requested information to my office.  The point is that the request has to come from the patient; it can't originate with a lawyer.

In what format can I get my medical records?

Now for the really fun stuff.  The Privacy Rule requires providers to give the patient access to his or her PHI "in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual."  What I've seen is that providers will generally default to hard paper copies (often resulting in hundreds of dollars' worth of copying fees), but will sometimes provide electronic copies if directly requested to do so.  One lesser-used option is to request that the provider allow you to come into their facility and inspect the records there, at a mutually convenient time.

Is there a time limit that providers have to abide by?

Yep!  The absolute limit is 30 calendar days, but providers are strongly encouraged to respond as soon as possible.  Keep in mind, however, that if the provider can't comply with the request within 30 days, then it can extend the timeline by another 30 days, provided that they inform the patient in writing of the reason for the delay and the date by which it will provide access.  The provider can only extend the deadline one time. 

Anything else I should know about HIPAA requests?

You betcha.  The first thing is that providers can and will deny your request if it isn't within the requirements set by the Privacy Rule.  Make sure to "measure twice and cut once" when you're filling out your request.

The second thing is that you should expect providers to bill you for the provision of your records.  While HIPAA allows only a reasonable, cost-based fee for records, it's very common that those "costs" will add up quickly.  This is particularly true where the provider is sending you a hard paper copy of your records.  It's not at all uncommon to gets bills in the hundreds of dollars for these types of records.

Alright, so that's HIPAA.  What in the heck is HITECH?

HITECH is the Health Information Technology for Economic and Clinical Health Act, a federal law that has actually been on the books since early 2009.  Codified at 42 USC 1795, HITECH imposes strict provisions regarding medical records upon healthcare providers, right alongside the requirements imposed by HIPAA.

How does HITECH help me?

Remember just a second ago, when I told you about how providers can charge you massive amounts of money for the provision of paper copies of your records?  Well - and this is a very broad strokes way of putting it - HITECH basically says that when healthcare providers maintain electronic records, they are required to provide those records to you in electronic format, and they can only charge the actual cost of production.  Not only that, but HITECH also applies to companies that contract with healthcare providers to maintain medical records for them.  

What does this mean?  Well, let's say that you were in a car accident and you spent 10 days in the hospital.  Over that time, the hospital compiled 3,500 pages worth of medical records pertaining to your stay.  Later, if you send a HIPAA request and the hospital sends you paper copies of your records, they might charge you a copying fee of 20 cents per page, for a total bill of $700.00.  Yikes!  

Now imagine that the hospital maintains your records in an electronic format.  You send a HITECH request, and they are required to comply by sending your records to you in the same format; most often a password-protected CD.  Now, they can only charge you the cost of the CD, plus postage and whatever labor went into putting your file on the CD.  Let's call it $50.00, which might even be a little bit high.  Congratulations on being really smart and saving yourself $650.00.

Holy cow!  So what does my HITECH request need to include?

For starters, it's critical to remember that the request has to come from you personally; it cannot come from your attorney.  For instance, if the request comes in on your attorney's letterhead, it's going to get denied pretty quickly.  If you want the records sent to your attorney, the request should clearly state the name and address of the attorney's office as the person designated to receive the records.  

Your HITECH request should be sent alongside, and not in lieu of, your HIPAA request.  You still need to send both requests.  What I normally do is to send a cover letter along with my requests, explicitly stating that I'm requesting electronic records.  I still get pushback from providers with some regularity - after all, this law really costs them a bundle of money - but persistence and a firm explanation of the law normally clear up any ambiguities. 

Any time limits under HITECH?

Absolutely.  Like with HIPAA, providers are subject to a strict 30-day deadline beginning on the date of the request.  If the provider misses this deadline, then it becomes subject to substantial fines and penalties.  While there isn't an independent cause of action in court (yet) for these violations, you can still file a complaint online with the Department of Health and Human Services.  You'll notice that these complaints still technically fall under HIPAA, but these penalties can be triggered by a violation of either law.

Remember that if a provider pushes back against your HITECH request, the 30-day clock continues to tick.  Remind the provider of this, and they'll normally "go along to get along" rather than face a hefty fine.

I feel so empowered right now!

Good for you!  Remember that if you have any questions, or if you'd like to see a sample HIPAA or HITECH request, my door is open.  Now go get those records!