The following blog was written for the HIPAA Secure Now community by DataFile Technologies, a leading provider of health data management including fast records release services with a 24-hour turn-around time, and an industry-leading accuracy rate over 99.9%.

You may have seen an uptick in medical records requests labeled with “HITECH Request” or experienced requestors arguing records release invoices and misusing Right to Access. Ostensibly, they’re citing this newer request type to obtain lower-cost medical records, but patients and providers are paying a heavy toll so that requestors can benefit.

This article is Part 1 of 2 about the growing abuse of Right to Access by third parties attempting to circumvent patient protection legislation in the interest of cost savings. While not all requestors of patient medical records are using this loophole with malicious intent, few healthcare organizations are fully aware of the implications for patients when they succumb to third party pressures.


Since 2004, “Right to Access” has been listed in 45 CFR 164.524 with the enactment of the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule). Over the years, the Department of Health and Human Services Office for Civil Rights (“OCR”) has dealt with complaints from patients unhappy about the time associated with obtaining their medical records and, of course, the cost. As a result, the OCR issued additional guidance that record requests under Right to Access delivered by fax or mail could be charged a “reasonable, cost-based fee” while patients requesting records electronically could be charged no more than $6.50.

Since then, the OCR provided a clarification, stating the $6.50 fee cap for medical records delivered electronically was not a mandated cap. The $6.50 charge was merely an alternative if a Covered Entity or Business Associate didn’t want to calculate the cost-basis of their medical records charges by outlining the costs of labor, supplies, etc. that’s provided for under the Right to Access regulations.

Fast-forward to today, the industry has seen a drastic increase an influx of attorneys, insurers and other requestors demanding a copy of patient medical records for $6.50 and erroneously citing the HITECH Act. Some statistics cite up to 90% of patient-directed copies are requested by someone other than the patient! [1]

On the other side of these requests are providers trying to figure out how to send records for $6.50 within 30 days and without undue delay, all while dealing with the myriad rising costs of managing a healthcare organization. Unfortunately, patients are caught in the middle, clueless as to the rights they’re giving up through the misuse of Right to Access.  More on that aspect below.

As a release of information provider, we’ve experienced a similar increase in the misuse of “patient-directed copies” and have some practical advice for medical practices and healthcare organizations combatting this trend.

Beware of tactics to circumvent your process

This article is the type of information being shared in certain circles of the legal community on how to circumvent the objections healthcare organizations provide to attorneys misusing Patient Right to Access for litigation purposes.

“A significant part of our pre-litigation effort is getting our client’s medical records. By using the following system, we keep our medical records costs down—and I mean really down. We rarely pay more than $10 per provider.”

This type of rhetoric shows that these requestors do not understand the time and expense healthcare organizations must incur in order to process requests in a manner that is consistent with both federal and state laws and, most importantly, protects the privacy of the patients whose medical information is being requested.

We get phone calls routinely from attorneys taking issue with our release of information fees that have been calculated consistent with the Right to Access regulations and OCR guidance, some of which can be rude or demeaning, in some cases downright belligerent. We recommend training your staff so they are prepared on how to handle these requestor calls and avoid the scare and intimidation tactics:

  • Provide your staff with a series of scripts for the common requestor objections;
  • Perform role-playing exercises with your staff so they can practice their scripts in a safe environment;
  • Document your training and do a refresher every six months with actual scenarios your staff has encountered;
  • Equip your staff with a FAQ on the topic so they can provide the requestor a deliverable that links your organization’s practices to the regulations and OCR guidance;
    • We often find attorneys arguing about HIPAA and the HITECH Act are actually unfamiliar with what is required by law and what is wishful thinking.
  • Have an escalation plan so that your staff knows what to do when a requestor threatens to report your organization to the OCR when the requestor is unsatisfied with your response.

Most healthcare staff members aren’t familiar with or used to dealing with less-than-pleasant attorneys arguing medical record fees. By giving them awareness and coaching, you can equip them to handle whatever complaints may come their way regarding your policies on Right to Access.

DataFile Technologies has assembled a Right to Access resource library for health organizations trying to better protect patient rights and combat the growing circumventions of those protections. Part 2 of this article, coming soon, will delve deeper into what organizations can do to avert this trend.

[1] Source: Association of Health Information Outsourcing Services

The post Right to Access was Implemented to Protect Patients but is Hurting Patients & Providers Alike (Part 1) appeared first on HIPAA Secure Now!.