HITECH-Compliant Medical Records Request Policy: Step-by-Step Guide and Checklist

This guide walks you through a HITECH-compliant process to request medical records with confidence. You will learn how to prepare a precise written request, target the exact records you need, obtain Electronic Health Records in the format you prefer, control delivery, understand Reasonable Fees, and ensure a Timely Response while maintaining Data Security Standards.

Prepare Written Request

Start with a clear, dated letter or secure message to the provider’s Health Information Management or records department. Identify yourself and the patient unambiguously and state that you are exercising your right to access Protected Health Information under federal law.

What to include

• Patient identifiers: full name, date of birth, phone, mailing address, and (if available) medical record number.
• Your request statement: that you are requesting access and disclosure of your medical records for personal use or continuity of care.
• Authorization Requirements: if you are a personal representative, attach proof (e.g., healthcare proxy, power of attorney, court order) and government-issued ID.
• Preferred communication method for questions (email or phone) to speed resolution of any ambiguities.
• Signature and date; for electronic submission, follow the portal’s authentication steps.

Checklist

• Draft request on the same day you plan to send it; keep a copy.
• Attach identity and authority documents, if applicable.
• State that you prefer electronic records when available.
• Ask the provider to contact you promptly about any missing information.

Specify Records Needed

Describe the scope precisely to reduce costs, speed processing, and avoid unnecessary disclosures. Target the “designated record set,” which typically includes clinical notes, lab results, imaging reports, medication lists, allergies, discharge summaries, and billing records—excluding psychotherapy notes and documents prepared for litigation.

How to define scope

• Date range: e.g., “All records from January 1, 2023 to present.”
• Service types: office visits, hospitalizations, surgeries, immunizations, labs, radiology.
• Providers or locations: name the clinic, hospital, or department to narrow retrieval.
• Data elements: problem list, medication list, allergies, progress notes, operative reports, discharge summaries, and billing statements.
• Exclusions: explicitly state if you do not want certain sensitive categories.

Checklist

• Use specific dates, providers, and document types to avoid an overbroad “all records” pull.
• Reference Electronic Health Records to emphasize that ePHI should be provided electronically when maintained that way.
• State that if any portion is not readily producible in the requested format, you will accept a readable alternative.

Request Electronic Format

When your information is stored in an Electronic Health Record, you can request an electronic copy. Specify the form and format you want and a secure transmission method aligned with Data Security Standards.

Form and format options

• Common formats: PDF, machine-readable C-CDA, or FHIR/CSV exports when available.
• Media: secure portal download, encrypted email, or encrypted USB/DVD if electronic transfer is not feasible.
• If you choose unencrypted email, acknowledge the risk in writing to allow that method.

Checklist

• State: “Please provide an electronic copy of my records maintained in your Electronic Health Records system.”
• Choose one format (e.g., PDF or C-CDA) and one transmission method to prevent delays.
• Request an index or file naming convention if multiple files will be sent.

Provide Delivery Details

Tell the provider exactly where and to whom the records should be sent. You may ask that electronic records be sent directly to you or, where permitted, to a third party you designate.

Destination specifics

• Direct to you: provide a secure email address or patient portal account.
• Third-party delivery: include the recipient’s full name, organization, and complete address or secure email. Note that a patient’s directive to send ePHI from an EHR to a third party must be in writing and clearly identify the recipient.
• Physical media (if needed): provide a mailing address and consent to use encrypted media.

Checklist

• Include precise delivery instructions in the original request to avoid rework.
• Ask the provider to confirm when the records are ready or sent, including the transmission method and date.
• Retain tracking numbers or confirmation messages as proof of Access and Disclosure.

Understand Applicable Fees

Providers may charge a Reasonable Fee that is cost-based. Permissible charges generally include labor for copying (including compiling and preparing electronic files), supplies (e.g., USB), postage, and preparation of a summary if you agree to receive one.

Fee guardrails

• No “retrieval” or “handling” fees unrelated to copying and delivery.
• No per-page fees for electronic copies from an EHR; paper copies may have per-page charges subject to state limits.
• Providers may use actual cost calculations, a schedule of average costs, or a simple flat fee for electronic copies when appropriate; ask for an itemized estimate in advance.
• More protective state laws (e.g., lower caps) prevail over federal baselines.

Checklist

• Request a written, itemized fee estimate before records are produced.
• Ask whether an electronic delivery option can reduce costs.
• Keep receipts and invoices with your request file.

Follow Up on Request

Track dates carefully to ensure a Timely Response. In general, providers must respond within 30 calendar days of receiving your request; if they need more time, they may take one additional 30-day extension by notifying you in writing with the reason and a new completion date.

Monitoring and escalation

• Mark the request “received” date and calculate the 30-day deadline.
• Follow up at day 10 and day 20 to confirm status and resolve questions early.
• If delayed, ask for the written extension notice before day 30.
• If issues persist, escalate to the provider’s privacy officer; you may also file a complaint with the appropriate regulators.

Checklist

• Keep a timeline: request date, confirmations, phone calls, and delivery date.
• Verify you received the requested scope, format, and destination.
• Securely store the files and confirm they open correctly; report any transmission errors promptly.

Summary: A precise written request, narrow scope, clear electronic format, unambiguous delivery details, and an upfront fee estimate are the keys to a smooth, HITECH-compliant process. Document every step, and follow up proactively to ensure your records arrive on time and in the form you need.

FAQs

What is the timeframe for a provider to respond to a medical records request under HITECH?

Generally, under the HITECH Act, you should receive access within 30 calendar days of the provider receiving your request. If more time is needed, the provider may take one additional 30-day extension by sending you a written notice before the initial deadline that explains the delay and states a new completion date. Some states require shorter timelines; the more protective rule applies.

How can I request electronic copies of my medical records under the HITECH Act?

State in writing that you want an electronic copy of your Protected Health Information maintained in the provider’s Electronic Health Records system. Specify your preferred format (for example, PDF, C-CDA, or FHIR export) and secure delivery method (portal download, encrypted email, or encrypted USB by mail). If you want the provider to send ePHI from an EHR directly to a third party, identify that recipient clearly in your written request.

What fees are permitted when obtaining medical records under HITECH?

Only Reasonable Fees that are cost-based are permitted. These typically include labor for copying (including compiling and preparing electronic files), supplies such as a USB drive, postage for mailed media, and the preparation of a summary if you request one. Retrieval or administrative fees not tied to copying and delivery are not allowed. Per-page charges are not permitted for electronic copies from an EHR; paper copies may have per-page costs subject to state limits.

How should I specify the medical records needed in my request?

Define a clear date range, list the specific providers or facilities, and identify document types (for example, progress notes, labs, imaging reports, discharge summaries, and billing records). Indicate any exclusions for sensitive categories you do not want. Referencing the “designated record set” helps the provider focus on the core clinical and billing information while avoiding unnecessary disclosures and fees.