How To Properly Obtain Medical Records For Personal Injury Cases
“HIPAA”, the Health Insurance Portability and Accountability Act, 29 U.S.C.A. § 1181 et seq., prohibits disclosure of individually identifiable health information and regulates persons with access to individuals’ health information. See e.g., University of Colorado Hosp. v. Denver Pub. Co., 340 F. Supp. 2d 1142, 32 Media L. Rep. (BNA) 2251 (D. Colo. 2004).
a. Patient Access
From the patient’s perspective HIPAA ensures a patient’s access to medical records. The HIPAA Privacy Rule, promulgated by the Department of Health and Human Services (HHS) under (HIPAA), generally guarantees that a patient has access to his or her medical records with a 30 day deadline by which time access must be provided (unless the information is not maintained or accessible on site). HIPAA §§ 1 et seq., 110 Stat. 1936; 45 C.F.R. § 164.524(b)(2). See Association of American Physicians & Surgeons, Inc. v. U.S. Dept. Of Health and Human Services, 224 F. Supp. 2d 1115 (S.D. Tex. 2002), aff’d, 67 Fed. Appx. 253 (5th Cir. 2003).
Beginning April 5, 2021, the program rule on Interoperability, Information Blocking, and ONC Health IT Certification, which implements the 21st Century Cures Act, requires that healthcare providers give patients access without charge to all the health information in their electronic medical records “without delay.” See https://www.healthit.gov/curesrule/What Information Must be Accessible? The rule gives patients immediate access to health information in their electronic medical record, without charge by the provider, including the notes their clinicians write. The rule covers the following eight types of patient data that must be made available to patients electronically:
- Consultation Notes;
- Discharge Summary Notes;
- History and Physical;
- Imaging Narratives;
- Laboratory Report Narratives;
- Pathology Report Narratives;
- Procedure Notes; and
- Progress Notes.
HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule. To comply with the 1996 (HIPAA) privacy rules, medical malpractice defense counsel who wish to interview a plaintiff-patient’s treating health care provider must obtain authorization separate and apart from any other authorization and state in bold letters that purpose of disclosure is not at request of plaintiff-patient, but that purpose is to assist defendant in defense of lawsuit. Health Insurance Portability and Accountability Act of 1996, §§ 1 et seq; Keshecki v. St. Vincent’s Medical Center, 5 Misc. 3d 539, 785 N.Y.S.2d 300 (Sup. Ct. 2004).
c. HITECH Act
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA), 42 U.S.C. § 17935(e)(3). HITECH modified HIPAA regulations and made it easier for a patient to obtain copies of their medical by a written (letter) request for records sent in electronic form. See 45 CFR §164.524.
HITECH, however, only applies to records requests from a patient, when the request comes from the patient directly and is in writing. HITECH also applies when the patient requests that their medical records be sent to a designated representative, including the patient’s attorney. HITECH does not apply when an attorney requests the patient’s medical records. When the request is in writing from the patient, the healthcare professional must comply with HITECH and its rules. When the request is from any other source, however HITECH does not apply, and the healthcare professional can charge under state law and its rules, including the standard handling fee and per-page charge. See R. Leslie, Top 10 Rules For Requesting Low-Cost Medical Records Under HITECH/HIPAA. A provider must provide the medical records on a CD or link with a maximum charge of $6.50. However, higher costs can be charged for records maintained on paper only. Id. Importantly, a patient can designate any third party (including attorneys) to receive the records. The designee has all the same rights to low-cost records as the individual. There is no special rule for attorney designees. See Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1080 (9th Cir. 2007)(“Our holding, however, in no way precludes attorneys from assisting their clients in accessing and obtaining their medical records without triggering the hefty fees.” Id. at 1089. Webb therefore holds that an individual’s letter to receive medical records may designate attorneys.
A good HITECH letter should state in that the records request is made pursuant to the HITECH Act. The letter should ask both a full and complete copy of all medical records and itemized billing records in electronic form. The request should also specifically state that the records be certified, and that they be provided in .PDF, CD, DVD or jump drive. The letter should also pre-authorize a charge of any amount below $25, which then ensures prompt processing of HITECH requests while preventing responses billed using HIPAA rates. The letter must also be signed by the client. Note, a letter signed by the patient asking for records serves as the authorization. No HIPAA release is required.
Providers may attempt to exclude records or services from the request. For example, a hospital may fail to include, or separately charge for, imaging films. But such films fall within the definition of “electronic health record” contained within the Act, because they are electronic records “created, gathered, managed, and consulted by authorized health care clinicians and staff.” If providers refuse to scan records that are in paper copy only, direct them to HHS’ website, that states that individuals are entitled to materials that can be readily scanned: https://www.hhs.gov/hipaa/for-professionals/faq/2055/if-an-individual-requests-an-electronic-copy/index.html. If a provider still refuses to provide records in accordance with the HITECH Act an e-mail should be sent noting that a complaint will be filed with Department of Health & Human Services’ Office of Civil Rights. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf
For cases involving many records (whether for one patient or for many plaintiffs) it may be advisable to use a commercial service/vendor to obtain the records. Medical records retrieval companies can deliver authorizations; advance custodial fees; retrieve all types of records; duplicate X-rays, films, scans; upload to a secure online system; provide har copies; and provide client views/prints/saves.
e. Subpoenas / Court Orders
Confidentiality requirements of Health Insurance Portability and Accountability Act (HIPAA) do not prevent obtaining medical records where a medical condition is directly in issue. HIPAA contains an explicit authorization for the release of patient medical records for judicial proceedings, and as long as a party complies with HIPAA provisions, including providing assurances that the subpoena seeks information that is relevant to the litigation. See 45 C.F.R. § 164.512(e). Booth v. City of Dallas, 312 F.R.D. 427, 93 Fed. R. Serv. 3d 455 (N.D. Tex. 2015). See also: (HIPAA) privacy rule does not prevent informal discovery under New York law in the form of ex parte interviews of treating physicians, but rather imposes procedural requirements, i.e. requiring attorney wishing to contact adverse party’s treating physician to first obtain valid HIPAA authorization or court or administrative order, or to issue subpoena, discovery request or other lawful process with satisfactory assurances relating to either notification or qualified protective order. HIPAA, 42 U.S.C.A. § 1320d et seq.; 45 C.F.R. §§ 164.502Me(a)(1), 164.508(a,c), 164.512(a), (e)(1)(i-ii). Arons v. Jutkowitz, 9 N.Y.3d 393, 850 N.Y.S.2d 345, 880 N.E.2d 831 (2007). Note the necessity of relevance to obtain medical records by court order or subpoena. McEnany v. Ryan, 44 So. 3d 245 (Fla. Dist. Ct. App. 4th Dist. 2010)( in camera review of the records was warranted to protect defendant’s constitutional privacy rights and determine whether there was good cause for disclosure; records of defendant’s hand surgery and childhood treatment for acne was unlikely to be relevant to defendant’s possible ingestion of medication for attention deficit disorder).
For more information on the effective use of medical records in personal injury cases see: