HITECH Right of Access: How to Process Medical Record Requests Lawfully

The HITECH Act strengthened the HIPAA Privacy Rule’s right of access, making it easier for patients to get copies of their medical records and to receive them electronically. This guide shows you how to process requests lawfully, minimize delays, and standardize your workflow while protecting patient privacy.

HITECH Act Overview

HITECH works alongside HIPAA. HIPAA grants individuals the right to inspect or obtain copies of their records, and HITECH expanded this right for electronic health information by promoting Electronic Health Records and electronic delivery. Together, they set expectations for format, timing, fees, and documentation.

Key definitions you will use

• Protected Health Information: individually identifiable health information maintained or transmitted in any form, including ePHI in Electronic Health Records and related systems.
• Designated Record Set: the records you use to make decisions about individuals, typically medical and billing records, enrollment, case management, and other decision-making records. It does not usually include peer review files, quality assurance notes, or administrative scheduling data.

Understanding what belongs in the designated record set helps you scope responses correctly and avoid over- or under-disclosure.

Patient's Right of Access

Patients may inspect or receive a copy of PHI in your designated record set and may direct you to send a copy to a third party. Access covers paper and electronic records, images, test results, and billing information, unless a specific exclusion applies.

Requests and verification

• You may require written requests and reasonable identity verification, but the process cannot be burdensome.
• Personal representatives (for example, a parent of a minor or someone with a valid health care power of attorney) have the same right of access as the patient, unless state law or court orders say otherwise.

Access vs. authorization

A right-of-access request from the patient does not require a Patient Authorization. If the patient asks you to send records to a third party, a clear, specific written direction from the patient is sufficient. Use a HIPAA authorization only when the disclosure is not being made pursuant to the patient’s access right.

Timeliness of Response

Access request timeliness is critical. You must provide access as soon as reasonably possible and no later than 30 calendar days from receipt. If you cannot meet 30 days, you may take one 30-day extension, but you must send a written notice before the original deadline with the reason for delay and a firm completion date.

Practical timing rules

• Start the clock the day you receive the request in any designated channel (portal, mail, fax, email, or in person).
• If state law sets a shorter deadline, follow the stricter standard.
• Do not delay access while awaiting payment for services; only copy/delivery fees may be collected, if applicable.
• Provide partial access promptly if part of the record is readily available while the rest requires more time.

Fees for Record Requests

Record request fees must be reasonable and cost-based. You may charge only for labor to copy (including extracting and compiling an electronic copy), supplies for the copy, and postage if mailed. You may not charge fees for searching, retrieving, maintaining systems, or verifying identity.

Setting compliant fees

• Electronic copies: per-page fees are not appropriate. You may use actual cost, a documented average cost schedule, or a reasonable flat fee for electronic copies (often implemented as a safe, modest flat fee).
• Paper copies: charge actual costs consistent with HIPAA, and ensure any per-page amounts comply with applicable state limits when the patient requests paper.
• Third-party recipients: when a patient exercises the access right and directs you to send records to a third party, the same HIPAA cost-based limits apply.

Always provide a fee estimate up front, explain what it covers, and offer lower-cost electronic options when possible.

Denial of Access

Legal denial criteria are narrow and must be applied carefully. If only part of the record qualifies for denial, provide the rest. All denials must be in writing and include the basis, the individual’s rights (including any right to review), and instructions for submitting a complaint.

When denial is permitted without review

• Psychotherapy notes kept separate from the medical record.
• Information compiled for or in reasonable anticipation of legal proceedings.
• Access prohibited by law or when the source has promised confidentiality and disclosure would reveal the source.

When denial may be subject to review

• Granting access is reasonably likely to endanger the life or physical safety of the individual or another person.
• Access would reveal a third party’s PHI and is reasonably likely to cause substantial harm.
• A personal representative’s access is reasonably likely to cause substantial harm to the individual.

How to issue a compliant denial

• Deliver a timely written denial that cites the specific reason and identifies any review rights.
• Offer to provide a summary or redacted version, or to send records to a designated health professional, when appropriate.
• Document the decision path and retain the denial notice in your request file.

Electronic Format Requests

When PHI is maintained electronically, provide a copy in the electronic form and format requested if readily producible. If not, provide a mutually agreed alternative that is readily producible, such as PDF, text, or a standard export from the Electronic Health Records system.

Delivery options

• Patient portals or secure file exchange are preferred for ePHI.
• Encrypted email is acceptable; if a patient prefers unencrypted email after being advised of the risk and consents, you may honor the request and document the discussion.
• Removable media (such as a CD or secure USB) may be used if it aligns with your security policies and is readily producible.

Third-party directions and APIs

• Honor clear written patient directions to send records to a third party, including another provider, an app, or a caregiver.
• Do not force patients to use a portal if they request another readily producible format or transmission method.
• Ensure that data pulled from modules outside the core EHR are included if they are part of the designated record set.

Compliance and Documentation

A consistent process reduces errors, accelerates fulfillment, and demonstrates compliance. Build a standard operating procedure that staff can follow end to end.

Step-by-step workflow

1. Intake: capture the request date, requester identity, preferred format, destination, and scope.
2. Verify identity with reasonable, non-burdensome methods; confirm authority of personal representatives.
3. Scope the designated record set and clarify exclusions; confirm whether inspection, paper, or electronic copy is requested.
4. Calculate any allowable cost-based fee and provide a clear estimate; offer lower-cost electronic options.
5. Set the deadline (30 days from receipt) and track milestones; send an extension notice once if needed.
6. Prepare the record: compile, review for limited denials, and redact only when necessary.
7. Transmit via the agreed format and method; document warnings and consent for unencrypted email if used.
8. Provide a fulfillment notice that lists what was sent, how, when, and to whom.
9. Archive the request, correspondence, fee calculation, and delivery proof for your retention period.
10. Monitor turnaround times and audit a sample of requests for accuracy and access request timeliness.

Training and oversight

• Train staff on the difference between access requests and disclosures that require Patient Authorization.
• Maintain up-to-date fee schedules, templates for extension and denial notices, and quick-reference checklists.
• Designate a privacy lead to resolve complex cases and to review any proposed denials.

FAQs.

What is the HITECH Act's impact on medical record requests?

HITECH reinforces HIPAA’s access right by emphasizing electronic access. It encourages use of Electronic Health Records, requires providing e-copies when maintained electronically, and clarifies that patients can direct you to send records to a third party, all while maintaining privacy safeguards.

How quickly must medical records be provided under the HITECH Act?

You must act promptly and provide access no later than 30 calendar days from receipt of the request. One additional 30-day extension is allowed with advance written notice stating the reason and a specific completion date. If state law is stricter, follow the shorter deadline.

Can fees be charged for electronic medical record copies?

Yes. You may charge only a reasonable, cost-based fee that covers labor for copying or creating the electronic file, supplies, and postage if mailed. Per-page fees are not appropriate for electronic copies, and you may offer a modest flat fee as a compliant option.

When can access to medical records be lawfully denied?

Denials are limited to specific situations, such as psychotherapy notes, information compiled for legal proceedings, or when access would likely endanger life or safety. Provide a written denial, explain any review rights, offer partial access when possible, and document your decision.