Getting Medical Records Cheaply Using the HITECH Act

Stop paying hundreds of dollars for medical records and use the HITECH Act to get records for less than $10.


By:      Matt Wetherington and Sarah Quinn


The Health Information Technology for Economic and Clinical Health Act was a part of the American Recovery and Reinvestment Act signed in February 2009 during the Obama administration.  It introduced several changes to the HIPAA Privacy Rule. The most relevant changes are that there are increased penalties for health care providers for violations of HIPAA Rules making them directly liable, and it changed the requirements for breach notifications by covered entities.

The ultimate goal of the HITECH Act is to better serve patients by encouraging medical providers to invest in progressive health information technology. The Act encourages health care providers to use electronic health records, giving patients more ease of access to their protected health information which empowers them to be advocates of their own health. The Office for Civil Rights, Department of Health and Human Services, is in charge of implementing and carrying out the goals of HITECH.

The HITECH Act promotes the concept of electronic health records-meaningful use (EHR-MU). Meaningful use is illustrated by the use of certified electronic health record technology that’s connected in a way that improves the quality of care for patients. There are “5 pillars” of the meaningful use concept which include: 1) improving quality, safety, efficiency, and reducing health disparities; 2) engaging patients and families in their health; 3) improving care coordination; 4) improving public health; and 5) ensuring adequate privacy and security protection for personal health information. Meaningful use is an essential component of the HITECH Act that should be mentioned and can be used to remind providers why it is important to utilize the HITECH Act to obtain medical records electronically rather than the traditional paper copy method.

The Privacy Rule, pursuant to 45 C.F.R. § 164.524(a)(1), grants individuals the legal right of access to obtain their protected health information in a “designated record set.” A designated record set includes the medical AND billing records of an individual. The important thing to note is that a client’s designated record set is not limited to just the medical records, and it does not exclude things like imaging studies. It includes imaging and itemized billing.  It is still reasonable to specifically request a copy of the billing records, as some healthcare providers often have separate billing departments.

Pursuant to 42 U.S.C. § 17935(e), individuals have the right to obtain a copy of their protected health information in electronic format and may designate the records be sent to an entity or personal representative of their choosing. Furthermore, the only fees that can be charged are cost based fees for labor for the production of the responsive protected health information. Putting this together, not only does the client have the right to inspect and obtain their personal health information, they can request it in electronic format, have the invoice and records sent to their attorney, and get them at a low cost.

Pursuant to 45 C.F.R. § 164.524(c)(3)(ii), the only requirements are that the request be in writing, signed by the individual, and it must identify the person to send the copy of the records (“Access of Individuals to Protected Health Information”). Have the client sign a letter requesting a copy of their complete designated record set. The request MUST come from the individual, not from a third party, even if the firm has been retained as their personal representative. The letter can request that they be sent to a third party, but it cannot be submitted by a third party. If these guidelines are followed, there should be no reason for any medical provider to question that the medical records came from anyone other than the individual treated at their facility.

The letter itself can and should be very simplistic, as it should come from a patient, not an attorney. The more legal jargon or fancy verbiage used will only cast suspicion as to whether the request is coming from the patient. The language in the body letter should read similarly to the following:


I was a patient at your facility. I am requesting a copy of my complete medical records including itemized billing records. I specifically request that the records be provided in electronic format.

Please send the records to my personal representative whose information is provided below.

Please notify my personal representative prior to producing the records if the cost exceeds $6.50.

Thank you for your assistance.


There are many variations that can be used, but the most important thing is that the letter
is from the client and signed by the client. It is also important to designate the facility the request is to, to include the client’s personal information, such as date of birth and the last four of the social security number, and to specifically designate the attorney or representative that the records may be sent to. Many firms have the client sign a “blank letter” unaddressed to any particular healthcare provider during their intake, just like one would previously sign a HIPAA.  Continue doing so.  This allows a firm to reuse the signed letter for different providers.

When a client requests their protected health information, they do not also need to send a HIPAA. Usually, if a HIPAA is attached, this makes the request seem like it has come from an attorney’s office and is considered a billing opportunity for the provider.  The simple letter is sufficient as the client has a legal right to obtain and review a copy of their protected health information. It’s still prudent to have both on deck for requesting records from non-medical providers such as billing for transport or anesthesiology, but for these purposes, the “HITECH letter” should suffice.

The inquiry process is basically identical to using a HIPAA as one should still call the provider to find out how they process requests prior to sending the letter. The only difference is to ask the provider how THE CLIENT can request their own medical records, not how the law firm can request them. Beware of getting directed to the “legal department” when calling larger facilities as the fax numbers and addresses they give are usually specifically for law firms, and the HITECH Act does not apply to requests that come from law firms.

When a written request is submitted to a healthcare provider, such entity must comply with the following “implementation specifications” pursuant to 45 C.F.R. § §164.524(c)(1-4): 1) the healthcare entity must provide the access requested and the entity need only produce it once; 2) the healthcare entity must provide the records in the form of access requested by the individual; 3) the healthcare entity must provide them in a timely manner (no later than 30 days after receipt of the request from the individual); and 4) the healthcare entity must comply with the cost-based fee structure. The first three are self-explanatory. The healthcare entity must provide access to the individual’s protected health information, it must be in the format the individual requested, and it must be produced no later than 30 days from the date of the request. The cost-based fees that can be charged are only the following: 1) labor for copying 2) supplies for creating the paper or electronic media 3) postage for mailing 4) Preparing an explanation or summary of the protected health information (“Access of Individuals to Protected Health Information”). Under these Rules, an individual should be able to obtain their electronic medical records at a low cost within 30 days of the request.

One reason for requesting records in electronic format, other than the fact that the HITECH applies to records in electronic format, is to eliminate additional charges that healthcare providers will likely try to ascribe. If it’s not specified that the client wants their records electronically, the provider almost always go with paper format, even if their records are kept electronically, because they can charge more that way. However, under the HITECH Act, they must comply with the fee structure pursuant to 45 CFR 164.524(c)(4) or they are violating HIPAA.  If the records are requested via fax or email, this also eliminates any fees for supplies for CDs and any postage associated with sending the records by mail. If a medical provider does not contain their medical records electronically, they must still produce the records in the format requested by the individual. They can do this easily by scanning the paper copies into .pdf format.  As previously mentioned, many larger healthcare providers don’t waste their time calculating actual cost-based labor fees, and instead, they charge a flat rate of $6.50 suggested by The Office for Civil Rights, Department of Health and Human Services (“Individuals’ Right under HIPAA to Access their Health Information,” 2016). This is the most ideal outcome, but not necessarily the most likely.

While getting medical records for under ten dollars sounds great, it is not necessarily always that simple. There may be some pushback associated with using this method to obtain medical records. It stems mostly from smaller providers that have never even heard of the HITECH Act and simply charge the fee structure their entity uses for everyone, usually state mandated. There is typically a basic fee or a retrieval fee that is usually over twenty dollars, a per page copy fee, a shipping or mailing fee and sometimes even sales tax. These fees are not compliant with the Privacy Rule’s cost-based fees for labor. Firms must be prepared to expect this rebuff when using the letter, especially from local or smaller providers. Larger hospital systems are generally charging the flat rate fee of $6.50. Without the “HITECH letter”, and with providers charging the basic fee, they could charge $25.00 for literally one page of electronic records.

More than likely, sending a “HITECH letter” will involve disputing an invoice. This will usually involve contesting the basic retrieval fee and a high per page copy fee. While this may be easier for them than calculating the actual labor associated with processing the request, it constitutes as a HIPAA violation for them to charge these amounts without any true calculation of labor. Many times, the conversation may involve asking them to itemize how they came to the actual cost, and most times they can’t. The retrieval fee and the per page fee are not determined by the cost of labor. If firms aren’t getting paper copies, there shouldn’t be much labor involved in producing records via fax or email. Be prepared to call the custodian or records to have them send a corrected invoice that is compliant with the HIPAA regulated fee structure. Some providers often try to avoid providing an updated invoice as it “takes up more of their time.” However, the provider to come back and say the firm is delinquent on a payment down the line, so be certain to obtain the corrected invoice

Another example of a pushback is that “the request came from an attorney’s office.” This argument, hopefully, is not typical for many firms. If they suspect it came from an attorney’s office this will get the request denied as the HITECH Act does not apply to requests from law firms. However, if one gets this rebuttal from a healthcare provider, there is not much that can be done on their end to prove that it came from an attorney. The letter itself is signed by the client, and the client likely reviewed the language of the letter and approved it when signing all the documents to retain the attorney. At the end of the day, as a client’s “personal representative” it’s imperative to obtain a copy of their PHI. It shouldn’t matter where it is faxed or mailed from. Some ways to avoid this include removing any legal jargon in the letter such as citing the Rule, and don’t use the firm’s letterhead. The letter needs to appear as though coming directly from the client. No client is going to use phrasing like “Pursuant to…” so keep it short and simple, similar to the aforementioned example.

Many healthcare providers may try to limit the type of records that are considered part of a designated record set. They typically claim that imaging films are not included in this set. However, as previously mentioned, this is not the case. An individual is entitled by law to their complete medical record, which includes their imaging studies, as they are already electronic.

Some firms may choose to dispute invoices in writing, and some covered entities require it. A sample letter may look something like the following:


This firm represents your patient who requested their own complete medical records and billing records from your facility and asked that the invoice be sent to our firm on _______. We are in receipt of your invoice in the amount of______.

Pursuant to 45 C.F.R. § 164.524(a)(1), an individual has the legal right to access their own medical records in electronic format and have them sent to their personal representative.

In addition, this Rule states that only reasonable, cost-based fees for the labor associated with production are acceptable fees to charge that individual pursuant to 45 C.F.R. 164.524(c)(4). This cost may not include a search or retrieval fee. This fee may only include labor, postage, supplies, and/or a fee for the summary or explanation of the protected health information.

Please provide our firm with an updated invoice that reflects the actual costs of labor not to exceed $6.50. If you have any questions or concerns, please do not hesitate to contact me to directly to discuss this further. Thank you for your assistance, and I look forward to hearing from you.


Some providers become very angry when they are challenged regarding their normal fees. Many will threaten to withhold the records for as long as possible. As previously stated, by law they must produce the records within 30 days. However, if someone is giving this much hassle and is threatening to withhold the client’s records intentionally, it might be reasonable to ask to speak to a supervisor. If this leads to an angrier custodian or a dial tone after a hang up, call back to let them about the potential to file a complaint with the Office for Civil Rights, Department of Health & Human Services. When they realize that their acts may be punishable by law, they will usually go ahead and produce the records timely. Not complying with the Privacy rule can result in penalty fines for which they are directly liable.

It goes without saying that no matter how disgruntled an employee at a provider’s office may become, it is important to remain professional and courteous. It is not unthinkable that some may curse, hang up, yell or even make up stories as to why the fees they charged are correct. They really get creative with how to subvert the HITECH and validate charging their patients an arm and a leg for their own records.

There are some caveats to using the “HITECH letter” to obtaining medical records cheaply. The first is that medical providers only need to provide a patient’s designated record set once. If a firm requests their clients’ protected health information, or complete medical records, and its provided, the provider has no obligation to send the same health records if another request is submitted for the same client in the future. That is why, in some cases, it might be better to wait until a client is done treating before submitting a “HITECH request.”

The second is that they can charge more than the flat rate. In some cases, as long as the costs are reasonable, and the records are in electronic format, the provider may calculate actual labor costs that exceed the flat rate of $6.50. They may also charge a certification fee which is usually around $10.00. Some states, like Georgia, cap the certification fee to a certain amount. For example, Georgia’s is $9.70.

To reiterate, it is not necessary to send a HPAA with the HITECH letter. It appears as though it is coming from a law firm or similar entity. When this happens, a medical provider can deny the “HITECH request” and charge state-mandated fees for a copy of the records. Be cautious if they state they also need a HIPAA authorization to process the request.

Lastly, there are only two categories of protected health information excluded under the Privacy Rule. These include: 1) psychotherapy notes, the personal notes of a mental health care provider; and 2) information collected for use in a civil, criminal, or administrative action or proceeding. Furthermore, there are limited circumstances which constitute grounds for denial. They include the following: 1) the request is for psychotherapy notes; 2) the request comes from an inmate at a correctional institution and providing it would jeopardize their health or safety; 3) the PIH is part of a research study still in progress; 4) the requested records are in Privacy Act protected records; 5) the requested records were obtained by someone other than a healthcare provider. However, If the healthcare provider denies access to part or all of the protected health information, they must do so in writing.

In closing, becoming familiar with the Privacy Rule and how the HITECH Act helps enforce it is integral to ensuring law firms are receiving the most reasonable cost for the protected health information of their clients. The real challenge is being able to courteously contest invoices to make sure that healthcare providers are compliant with the fee structure of the Privacy Rule and aren’t overcharging individuals for the protected health information and violating HIPAA. Realistically, if all firms begin requesting records using the “HITECH letter,” then providers will become accustomed to its usage, and there will be less of a need to dispute invoices for medical records. In time, all clients’ medical records and bills will be affordable in electronic format, which is the ultimate goal of the HITECH Act.


Fancy things to cite in your dispute letters:

(2015). Notice of Proposed Rulemaking to Implement HITECH Act Modifications. Office for Civil Rights. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/guidance/proposed-rulemaking-to-implement-hitech-act-modifications/index.html


(2016). Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524. Office for Civil Rights. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs%fillpartend%


(2017). Meaningful Use. Centers for Disease Control and Prevention. Retrieved from https://www.cdc.gov/ehrmeaningfuluse/introduction.html


42 U.S. Code § 17935- Restrictions on Certain Disclosures and Sales of Health Information; Accounting of Certain Protected Health Information Disclosures; Access to Certain Information in Electronic Format. Cornell Law School. Retrieved from https://www.law.cornell.edu/uscode/text/42/17935


45 CFR 164.524 – Access of Individuals to Protected Health Information. Cornell Law School. Retrieved from https://www.law.cornell.edu/cfr/text/45/164.524


What is the HITECH Act? HIPAA Journal. Retrieved from https://www.hipaajournal.com/what-is-the-hitech-act/


What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records? HIPAA Journal. Retrieved from https://www.hipaajournal.com/relationship-between-hitech-hipaa-electronic-health-medical-records/