Defeating The Medical Records Paper Copy Scam

Hardly a day goes by without a letter from my office either requesting medical records or paying for them. Some days, I sign more than a dozen. It’s perhaps the most common thread among all my cases: the vast majority of my clients have been physically injured in one way or another, and at a bare minimum, I need the records from their doctors and hospitals to show the diagnoses they have and the treatment they have received.

Every patient has a right to receive their medical records, and by law should be able to obtain those records promptly at no markup, with no padded fees, and no unnecessary charges from the hospital or the records company. But if there’s money to be made, someone will try to make it, and over the past decade a whole cottage industry has developed around the “business” of trying to cheat patients trying to get their medical records. Sometimes health care providers outsource this “business” to third-party companies, and sometimes the hospitals and health systems play the con game themselves.

Federal law is quite clear: a patient has the “right to obtain from [their health care providers] a copy of [their medical records] in an electronic format,” 42 USC § 17935(e)(1), and that health care provider is allowed to bill “only the cost of … [c]opying, including the cost of supplies for and labor of copying,” 45 CFR 164.524(c)(4)(i). This is all part of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Simple, right? If a hospital wanted to do the right thing, then whenever a patient requested records, the hospital would send them a CD in the mail and a modest bill, one that would typically be under $50 and would never exceed $100. But there’s no money to be made in charging “only the cost” of copying electronic records to a CD, so a number of these entities have a policy that, if a patient requests their records, then the hospital bills the maximum it possibly could.

To bill the maximum, the hospital always assumes, even if the patient requests otherwise, that the patient wants paper copies, literally nothing more than the hospital printing a copy of what it has on the computer. That’s because the HITECH Act doesn’t cover the cost of paper copies, state law does, and the lobbying groups for doctors and hospitals have a lot more influence in the State Departments of Health when it comes to allowing scams that fly under the radar. In Pennsylvania, for example, printed copies of medical records can go for up to $1.44 per page. In New York, it’s $0.75 per page. In Texas, $30 for your first 10 pages, then $1 per page and a graduated scale after that. And on and on. (Edit: I forgot to link to Tom Lamb’s state-by-state summary.)

If an attorney requests these records, and specifically points out that only an electronic copy was requested and that the charges for paper copies are illegal, the hospital often tries to pull another trick, claiming that the HITECH Act’s medical records billing limits apply only to requests directly from the patient that are going straight to the patient, and so they don’t apply to us, even though we’re requesting them for the patient, at the patient’s request. This trick is, of course, also morally and legally wrong: as the Department of Health and Human Services made clear, “The final rule adopts the proposed amendment Sec. 164.524(c)(3) to expressly provide that, if requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.” Federal Register January 25, 2013 Vol 78 No. 17, Page 5634.

Despite the clarity of the law, we still spend an enormous amount of time trying to pry our clients’ records out of these hospitals’ greedy little hands.

Earlier this month, for example, while getting records for a birth injury case, I first got the run-around. The health system sent me a certification from one of their locations that they had no records on the child even though I had specifically requested records from a different location, where the child had been hospitalized in the NICU for several weeks. They blamed my firm for the mistake (as if we couldn’t read our own letter requesting the records from the correct location), and then, a week later, I received a bill from an outside medical records processing company: 2,588 pages at a cost of $1,004.34.

I went ballistic. A week later, the bill was $24.97, and I could download the full records immediately.

This isn’t about saving my firm a buck; even if we paid the entire cost upfront, the cost of these records is reimbursed from the settlement (that’s true whether the attorney’s fee is calculated before costs or after costs). It’s about stopping this cottage industry of records-cost-padding from getting bigger, and maybe even rolling back the tide.

Below is a sample letter to use in your requests. If they don’t follow the law after receiving such a letter, file a complaint with the Department of Health & Human Services’ Office of Civil Rights for Health Information Privacy.

Enough is enough. These companies cannot prey upon our clients.

Sample Letter:

I represent the above-named patient of yours, and as shown by the enclosed authorization, they have authorized you to produce their medical records to me. Pursuant to the HITECH Act, 42 U.S.C.A. §17935(e)(1), and its implementing regulations, 45 CFR 164.524(c)(4)(i), we are requesting, in an electronic format only, a complete copy of the patient’s medical records from [insert date] to [insert date]. Please be aware that the HITECH Act applies to requests by third-parties, like our law firm, just the same as it applies to requests by patients: “if requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.” Federal Register January 25, 2013 Vol 78 No. 17, Page 5634.

The records should include, if applicable, their Hospital admission face sheet; Discharge summary; Admission history and physical; Progress notes; Orders; Consultation; Radiology reports; Lab values; Graphic vital signs; Anesthesia record; Operative reports and notes; Pathology reports; Recovery room; Nurses notes; Medication records; Outpatient records; Emergency room records; Special diagnostic tests; and Fetal strips.

We are not requesting paper copies. Do not bill us for paper copies. The HITECH Act and its regulations do not allow you to bill for paper copies when an electronic copy has been requested. I will not hesitate to file a complaint with the Department of Health & Human Services (HHS) if you violate the law by improperly applying the paper copies rate for electronic records.

If any of the above records are available only as paper copies, and have never been made into an electronic format, please identify the record and provide the cost of copying.

Please fax, email, or call us with the amount you intend to charge before sending the records. If you send us a bill for paper copies of electronic records, you should expect that we will file a complaint with HHS. If you follow the HITECH Act, we will pay our bill promptly.

  • Dave

    Thanks, Max! Your letter should accomplish the same result for defense counsel who present a plaintiff’s signed HIPAA releases. Too bad it wouldn’t seem to work with a subpoena alone. But I think we can agree that a racket is a racket regardless!

    • Max Kennerly

      You are right: the rule should apply just the same to defendants requesting copies with authorization, and I hope they give the medical records companies grief, too.

  • Corey Pollard

    Great article, Max. I handle workers’ comp, PI, and SSDI cases and share your frustration with hospitals and medical records vendors. I plan on trying your approach.

    • Max Kennerly

      Good luck! It’s still a fight, but one I am winning more often now armed with the above. Let me know if you learn anything else useful to us.

  • Rachel

    Do you fight this fight on every request? Or just the big dogs?

    • Max Kennerly

      Short answer is: the big dogs. A solo family doctor who says they don’t have electronic records gets a pass. A cardiology group affiliated with a health system that brings in millions a year? They’ve got enough money and they need to follow the law.
      Someone raised a similar issue on Philip Thomas’ blog, and my response was:

      I’ve yet to encounter a hospital that hasn’t gone to electronic copies; most went years ago. Most group practices have as well, in part because of the billions of dollars in incentives provided by the HITECH Act. Individual doctors get a different request letter to start; notice that my post is all about hospitals.
      A couple of times, a group practice has told me they don’t keep electronic copies. When that happens, I send them a follow-up letter asking them if they’ve received any HITECH EHR grants, and, if so, recommending they speak with their counsel about the certification requirements for “meaningful use.” Whaddayaknow, after that I get the electronic records that didn’t exist a week before that.
      Call me a “jerk” all you like, I spent years being nice and my firm and my clients paid the price, this has been the only solution that has worked for my clients against an industry devoted to ripping off patients. I consider it “unnecessarily confrontational” that virtually all of my requests for electronic records are met with an illegal demand for money. Everyone who works in this field knows exactly what I’m talking about — and several defense lawyers have already told me thanks for the post, because they, too, have seen their clients ripped off and are tired of it.

      • Rachel

        I’m going to give it a try over here in MN… although I’m toning it down a bit to keep it Minnesota nice. Wish me luck!

        • Max Kennerly

          Good luck! Let me know how it works out.

        • Rachel

          They’re kicking back – since I just sent the normal HIPAA release with my letter. I’m going to try it again once with the client’s simple one sentence request letter too. But at least now I have the “Compliance Officer” involved – she’s citing HHS-OCR law relating to a “personal representative” and saying I am not a one of those. She’s also citing 164.524(c)(4) but citing the comment section of the final rule from 2002: 67 Fed Ref. 53254, Aug. 14, 2002. I understand this may be superceded by the 2013 regulatory history. They also think that state law is not pre-empted by the federal law in this arena since the federal law is not contrary to state law. What?! Wouldn’t you say it is directly contrary?

          Also, this argument: the HIPAA access for patients entitles patients to access to “review the information, check for inaccuracies, request amendment and correction, etc.” BUT NOT FOR ATTORNEYS because “these access provisions and the intent of the rules do not apply to the request and use of patient medical records, or other PHI, by attorneys in reviewing the standard of care received by the patient or in evaluating potential malpractice claims.”

        • Max Kennerly

          The “personal representative” one can get a little tricky, given the ambiguous role of state law. HIPAA follows state law on whether a “next of kin” can get records — the rule in most states I practice in — or whether they need to be a personal representative.

          The 2002 rule is plainly superceded by 2013. If a patient requests electronic records go to a third party — a doctor, an insurance company, or, yes, a lawyer — then HITECH applies. Simple.

          I love the argument about “potential malpractice claims.” Call up the compliance officer and ask them to cite where in the act or the regs or the rule it says that.

          If all else fails, ask them how much it really costs, then cite them 78 FR 5566, 5607 (January 25, 2013):

          “In response to comments about the types of costs that are permitted in the reasonable cost-based fee to prepare and transmit the data, we clarify that this may include both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the protected health information; labor and supplies to ensure the protected health information is disclosed in a permissible manner; as well as related capital and overhead costs. However, fees charged to incur a profit from the disclosure of protected health information are not allowed. We believe allowing a profit margin would not be consistent with the language contained in Section 13405 of the HITECH Act.”

          Any profit, of any sort, of records covered under the HITECH Act is wrong.

  • Thank you!

    Great post. Definitely saving this for the future. Typically I’m requesting records from small doctors and they charge less than $20.00 (or nothing) for faxed records (I’m not a personal injury lawyer). But, the hospitals, man; got a bill for $200 something for about 75 pages of records on an ER visit. Blew up at them on the phone and we worked it down to $50.00. Thanks for letting me know about the HITECH Act. Will absolutely use it in the future.

  • Ivan Hannel, Esq.

    So I saw a summary of this article from the list-serve for the Arizona Trial Lawyers Association. Of course, who’s name/link is there? Max Kennerly. I was happy to see. Best blog out there. Copying your letter for future use. Great share. Thank YOU.

    • Max Kennerly

      Good luck! Let me know how it works out, and if you learn anything useful. My plan is to revise this post to reflect people’s successes and failures.

  • Ivan Hannel, Esq.

    The former president of the Arizona Trial Lawyers Association replied to me with some more info as far as the 9th Circuit goes… More info to you, Max.

    When requesting records using HIPPA & HITECH authorizations the Ninth Circuit case that holds that the request must come from the patient, not from the representative. Thus if you send the letter even though the authorization is from the client that case says it is not a valid request.Therefore you need to have the client sign a letter to the HCP requesting all of the records and telling the HCP to send the records to you. Note: The Health and Human Services Final Rule provides that violations due to willful neglect may be assessed a penalty ranging from $10,000 to $25, 000.

    Case is Webb v. Smart Document Solutions, LLC, 499 F.3d 1078 (9th Cir., 2007).

    • Max Kennerly

      Thanks. The Webb case turned on the 9th Circuit’s interpretation of the regulatory history. See Webb, 499 F.3d at 1085-1086 (citing 65 Fed.Reg. 82492). As referenced above, though, as of 2013, the regulatory history is completely different now: “The final rule adopts the proposed amendment Sec. 164.524(c)(3) to expressly provide that, if requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.” Federal Register January 25, 2013 Vol 78 No. 17, Page 5634. To the extent Webb was rightly decided (an iffy proposition), it has been superceded.

      Moreover, there’s another way make your request a “direct” request from the patient: have your client sign both a typical HIPAA authorization as well as a simple, one-sentence letter to the provider requesting their records (in an electronic format only) be sent to you. The two are not the same. (And of course the patient could use that same letter to have the records sent to them, and then forwarded to you; that’s more cumbersome and frustrating, but it achieves the main point of avoiding the excessive fees.)

  • ZMW29

    I don’t practice in an area where I’d be in a position to use this letter, but its a great model for any demand letter in terms of tone, clarity, and authority. I’m keeping a copy of this letter for some of the limited scope landlord-tenant cases I work.

  • Ashley Fournet

    Thanks so much for this! It’s amazing! I’ve been fighting with Healthport over this issue and I refuse to pay them. Love the letter.