Medical Record Retrieval In the Modern Era: A Primer On HITECH

By Martin A. Ginsburg

The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 was a natural outgrowth of the Health Information Portability and Accountability Act (HIPAA). HIPAA was designed to protect personal information while facilitating the transfer of information between the “covered entities” to improve the continuity of care across the spectrum of providers.

An unfortunate consequence of ratcheting up protections under HIPAA for personal health information was to make it more difficult for patients to access their own records. With unauthorized disclosures so broadly defined, additional consequences of non-compliance included the threat of civil penalties levied by the courts and limits being placed on reimbursements and payments by the Federal government.

The solution to this difficulty is included in HITECH. While the HITECH Act adds protections and accountability mechanism requirements, its core purpose was to ease access to medical records for patients. Doing this has led to significant confusion over requirements across a variety of businesses. Healthcare providers, law firms, insurance companies, medical device manufacturers, and others are affected by these regulations.

In my work, I am required to approach these regulations from several divergent perspectives and have had the opportunity to discuss the rules with professionals across the spectrum who are affected by these regulations. Working with attorneys as a nurse paralegal, medical record retrieval is most often focused on medical malpractice and wrongful death matters. In my independent consultancy, I also work with patients and their families to understand what led to an unexpected outcome, especially in cases where no negligence may be ascribed.

The focus of this article is using HITECH to retrieve medical records. It should be noted that while the tool is widely heralded as a panacea, I have never seen it that way. I always look at arguments from the point of view that I am wrong and try to understand what counter-argument would invalidate my points. I approached this topic that way when first asked to retrieve medical records. After a number of frustrating, headache inducing, attempts; I felt the best thing to do was to fall back and re-group. Believing that no one has ever won a game they didn’t understand, I spent a couple of hours each week, for almost two years, reading several hundred articles on the topic. Using their bibliographies and works cited lists, I managed to dig deep enough into the Federal website. After looking for the statutes and regulations, I started quizzing the attorneys I work with to help me understand what the rules were designed to do.

There are benefits and costs associated with the use of HITECH. While not widely understood, the scope of a valid HITECH request could easily be: physician and nursing notes; ancillary care provider notes; labs; all imaging studies and their reports; billing and insurance; incident reports; electronic medical/health record access control (audit trail) reports; and more. The benefit to patients initiating litigation related to professional negligence is that anything owned, created, or possessed by a provider that contains protected health information is subject to a HITECH request. On the other hand; in some personal injury matters, patients who do not limit the scope of their requests may see an unnecessary increase in legal expenses. A request that has an unlimited scope may result in a medical record that takes an attorney so much time to review and organize that the cost of those records outweighs the benefits to the case. 

Essential Language Required by Regulations

The essential language required by the regulations follows with a few in–text notes. Using this as an outline helped me develop a fully compliant medical record request for my work with attorneys and independently as a Nurse Patient Advocate. It is also important to consider this all from the provider’s perspective. Under the regulations, the provider is charged with ensuring that the requesting entity is, in fact, authorized to make the request. To address that concern in my independent practice, I have appended a Notarial Acknowledgement to the request to prove that the requester is the person claimed.

Where a personal representative is making the request, remember to include proof of standing (e.g. Letters Testamentary, Health Care Power of Attorney, birth and/or death certificates, or other supporting documents). Including these in the initial request avoids unnecessary delays and prevents a provider from claiming the delays are due to your errors instead of a failure to comply with the regulations.

As an aside, with recalcitrant covered entities, an aggressive third-party retrieval service can be an invaluable resource for law firms. This cut–out operator has the capacity to keep the law firm insulated from the retrieval process to decrease the risk of ill will if the matter moves to the point of substantive discussions.  It is my hope that this article will help my paralegal cohorts review requests to ensure their validity and save some time and frustration when retrieving medical records.

Elements of a Valid Request

In order to construct a valid request, the essential language must contain at least the following elements:

  1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. [Designated record set is the regulatory language found in 45 C.F.R. §164.508]
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. [The patient’s name or that of a personal representative]
  3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. [A legal person to whom the records are to be transmitted]
  4. A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. 
  5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. [I’ve thought about using “the end of life on Earth as we know it” but didn’t think the joke would go over very well.]
  6. Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided. (See 45 C.F.R. §164.508(c)(i-vi))

In addition to the information required above, the authorization must also contain statements adequate to place the individual on notice of all of the following:

  1. The individual’s right to revoke the authorization in writing, and either:
    (A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
    To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by §164.520, a reference to the covered entity’s notice.
  2. The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
    (A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or
    (B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
  3. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.

An authorization is not valid, if the document submitted has any of the following defects: 

  1. The expiration date has passed or the expiration event is known by the covered entity to have occurred; 
  2. The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable; 
  3. The authorization is known by the covered entity to have been revoked; 
  4. The authorization violates paragraph (b)(3) or (4) of this section, if applicable; 
  5. Any material information in the authorization is known by the covered entity to be false. (See 45 C.F.R. §164.508(b)(2)(i-v))

It is never enough to think outside the box, we must remember that at the core of life, there IS no box. What box we endeavor to escape is of our own construct. Within those parameters, it is important to remember that the limits only apply until they are successfully challenged.

Martin Ginsburg graduated from Barry University in Miami Shores, FL with a Bachelor of Science in Nursing and licensure as a Registered Nurse. His clinical experience includes Medical/Cardiac critical (intensive) care, emergency department, home health, and nursing education. Ginsburg has worked in a major county hospital in South Florida as the facility began its intensivist program providing primary care in a critical care setting. In Raleigh, he worked in a community hospital, leaving behind the high-tech focus of South Florida for a setting that allowed much more patient interaction. Ginsburg has also worked as an adjunct clinical instructor and a nursing preceptor. Changing focus, Ginsburg later graduated from Meredith College’s ABA-approved Paralegal Studies Program and currently works as a paralegal nurse consultant. To read more about Martin Ginsburg, visit here. You may contact Martin Ginsburg at