You have a right under both federal and state law to be provided a copy of your own medical records, and to receive it promptly after you make a written request. You also can authorize someone else – such as a lawyer at our law firm, or another doctor, or a family member – to be sent a copy of your records. Here is some detailed background on your legal rights to your medical records.
The Federal Law Is Called HIPAA
According to the Health Insurance Portability and Accountability Act (“HIPAA”), codified at 42 U.S.C.A. §§ 1320d-1320d-8, a “covered entity” must permit an individual to obtain a copy of their protected health information that is maintained in a designated record set. (45 C.F.R. § 164.524(b)(1)).
Who is Subject to HIPAA?
A ‘covered entity’ is “a health plan, a health clearinghouse, and a health care provider who transmits any health information in electronic form.” (45 C.F.R. § 160.103) This means that not all doctors are covered by the federal law – only those that use electronic medical records. (As a practical matter, this doesn’t affect your rights to get records but may affect what the doctor’s office is allowed to charge you.)
‘Protected health information’ includes information including demographic information collected from an individual that “relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual.” (45 C.F.R. § 160.103)
Upon Receipt of an Adequate Authorization, Health Care Providers Must Release Medical Records
Providers must provide access to records when they get a valid authorization. Here is the regulation that defines what’s in a valid authorization: 45 C.F.R. § 164.508(b) and (c). A valid authorization must contain the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure, and to whom the covered entity may make the requested use or disclosure. 45 C.F.R. § 164.502(a)(1)(iv).
State Law is Similar
Health care providers also have a duty under state law to send you a copy of your medical records if you ask for them in writing.
Under D.C. law, “upon written request from a patient or client, or person authorized to have access to the patient’s record under a health care power of attorney for the patient or client, the health care provider having custody and control of the patient’s or client’s record shall furnish, within a reasonable period of time, a complete and current copy of that record.” (DC Code § 3–1210.11)
In Maryland, a health care provider shall disclose a medical record on the authorization of a person in interest. An authorization shall be in writing, dated, and signed by the person in interest; state the name of the health care provider; identify to whom the information is to be disclosed; and state the period of time that the authorization is valid, which may not exceed 1 year. (Md. Code Health Gen § 4-303)
Under Virginia law, health care entities may, and, when required by other provisions of state law, shall, disclose health records upon the receipt of the written authorization of the individual or in the case of a minor, his custodial parent, guardian or other person authorized to consent to treatment of minors. (VA Code §32.1-127.1:03(d) )
An Individual Authorized to Make the Request
If a patient is legally incapable of acting for himself or herself, under HIPAA, the health care provider must treat a legally authorized personal representative as the individual for purposes of disclosing medical records. (45 C.F.R. §§ 164.502(f)-(g).)
If under applicable law a person has authority to act on behalf of in individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. 45 C.F.R. § 164.502(g)(2).
Similarly, persons authorized to act on behalf of an estate of a deceased patient must be treated as the patient:
If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. 45 C.F.R. § 164.502(g)(4).
Upon Receipt of an Adequate Authorization, Health Care Providers must Release Medical Records Within 30 days.
“The covered entity must act on a request for access no later than 30 days after receipt of the request” 45 C.F.R. §164.524(b)(2)(i).
There are exceptions to the 30-day time period. “If the request for access is for protected health information that is not maintained or accessible to the covered entity on site, the covered entity must take [the required action] by no later than 60 days from the receipt of such a request.” 45 C.F.R. § 164.524(b)(2)(ii). Additionally, if the covered entity cannot meet the 30-day time limit, it may “extend the time for such actions by no more than 30 days, provided that” the entity provides the requesting individual with a written statement of the reasons for the delay and the date by which it will complete its action. 45 C.F.R. § 164.524(b)(2)(iii)(A). Only one such extension is permitted. 45 C.F.R. § 164.524(b)(2)(iii)(B).
Health Care Providers Must Release Medical Records in the Format Requested.
It’s best to specify in your request that you want the records in electronic format, if they’re kept that way by the hospital (or other provider). That will potentially save you a lot of money. (See next section.) Here’s what the federal regulation says: “The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual” 45 C.F.R. § 164.524(c)(2)(i). Thus, if the medical records are kept electronically and if the individually requests an electronic copy, the covered entity must provide the electronic format, if it is readily producible in such form and format. “The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: (A) The individual agrees in advance to such a summary or explanation; and (B) The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation.” 45 C.F.R. § 164.524(c)(2)(ii).
Health Care Providers are Allowed to Charge for Copies of Medical Records, But the Charge Must Be Reasonable.
HIPAA provides that the covered entity may impose “a reasonable, cost-based fee, provided the fee includes only the cost of: (i) Labor for copying the protected health information requested by the individual, whether in paper or electronic form; (ii) Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and; (iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(ii) of this section” 45 C.F.R. § 164.524(c)(4)(emphasis added). The Health Information Technology for Economic and Clinical Health Act (HITECH) provides that “any fee that the covered entity may impose from providing [a copy of records in electronic form] shall not be greater than the entity’s labor costs in responding to the request for the copy[.]” (Pub.L. 111-5, Div. A., Title XIII, § 13405(e), 42 U.S.C.A. § 17935(e).)
This means that the hospital or other provider can charge only for putting everything onto a CD or a secure website (a fee usually well under $100), not the per-page charges that many hospitals try to impose, which can run easily into many hundreds or even thousands of dollars for a long hospital stay.
This applies to any “covered entity,” as mentioned above. If the provider is NOT covered by federal law, they can charge fees as allowed by the state the entity is located in.
In the Washington, D.C. area, the District of Columbia has no specific fees allowed for a hospital’s transmission of medical records to a patient.
Maryland and Virginia do have statutes that limit the amount a health care provider may charge when a patient requests a copy of their records.
Maryland law allows a “fee for copying not to exceed 76 cents for each page of the medical record, and the actual cost of postage and handling. There may be a preparation fee of $22.88, if the records are sent to another provider.” (Md. Code Health Gen § 4-304) The federal HIPAA regulations do not allow a charge for a preparation fee for records provided directly to the patient.
Virginia code permits “reasonable charges of the hospital, nursing facility, physician, or other health care provider for the service of maintaining, retrieving, reviewing, preparing, copying and mailing the items produced. Except for copies of X-ray photographs, however, such charges shall not exceed $0.50 for each page up to 50 pages and $0.25 a page thereafter for copies from paper or other hard copy generated from computerized or other electronic storage, or other photographic, mechanical, electronic, imaging or chemical storage process and $1 per page for copies from microfilm or other micrographic process, plus all postage and shipping costs and a search and handling fee not to exceed $10.” (§ 8.01-413)
Here is an informal ruling from the HHS Office of Civil Rights on this subject of reasonable fees to patients for copies of their electronic records from hospitals. This letter shows that after the government’s intervention, the hospital reduced its fee from $624 to nothing. The letter also cites the key language in the Code of Federal Regulations. Department of Health & Human Services Ruling
Your Right to Complain
If a health care provider fails to honor your right to receive your medical records promptly and at a reasonable cost, you have the right to file a complaint with the Department of Health & Human Services’ Office for Civil Rights for Health Information Privacy. This can easily be done online at the Department of Health & Human Services website: https://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
Other States’ Laws
Here is a somewhat dated compilation of state laws done by a group at Georgetown University Law School, last updated in 2001 and 2002.
Part One: https://sharps.org/wp-content/uploads/PRITTS-REPORT1.pdf
Part Two: https://sharps.org/wp-content/uploads/PRITTS-REPORT2.pdf
While we cannot guarantee the information is up-to-date, it should help you get started on getting information about your own state.