Four Questions to Consider When Releasing Information to Attorneys

By Lisa A. Eramo, MA

Your hospital receives a release of information request from an attorney. What exactly can you charge to produce the record, and do fee limitations described in HIPAA apply? These limitations prohibit covered entities from charging patients anything but a reasonable cost-based fee that includes only certain labor, supplies, and postage costs associated with fulfilling the request.

This question has been a point of contention between healthcare attorneys and HIPAA-covered entities for quite some time. Hospitals and release of information (ROI) companies argue that fee limitations only apply to patients—not attorneys. Attorneys argue that they should also be subject to the fee limitations because they’re simply requesting information on behalf of their clients.

Unfortunately, new guidance from HHS seems to muddy the waters even further.

In particular, it states “where the third-party is forwarding—on behalf and at the direction of the individual—the individual’s access request for a covered entity to direct a copy of the individual’s PHI to the third-party, the fee limitations apply.” This same guidance also states that when a third-party initiates the request on his or her own, fee limitations (excluding state rates) DO NOT apply.

It’s a very nuanced distinction that seems to require covered entities to differentiate between ‘initiating’ and ‘forwarding’ when determining whether fee limitations apply, says Barry S. Herrin, CHPS, FAHIMA, Esq. of Herrin Health Law, P.C. in Atlanta. “The art in that is figuring out who actually wants the record,” he adds.

For example, consider an attorney representing the administrator of an estate. If a hospital denies the administrator a copy of the patient’s medical record, the attorney for the estate might forward that request urging the hospital to comply. In this case, the fee limitations apply because the attorney simply forwards the request for information that the administrator wants or needs, says Herrin.

Another example is when an attorney forwards a request as a matter of convenience for a client. For example, consider an attorney who forwards a mother’s request for copies of her child’s records. Again, fee limitations apply, he says.

Max Kennerly, Esq. of Kennerly Loutey, LLC, in Philadelphia says this new guidance, which doesn’t provide specific scenarios, seems to suggest that fee limitations should always apply to attorneys forwarding requests on behalf of their clients. “Whenever an attorney requests a client’s records as part of legal representation, the attorney is necessarily acting on behalf and at the direction of their client, so the fee limitations apply,” he adds.

He says providers and ROI companies perpetuate ongoing confusion by charging attorneys a higher rate—often exceeding $1,000 for an electronic copy of a record from a single hospitalization. “Many providers and medical records services have come to see patient records as a profit center, which is the exact problem the federal regulations were designed to fix,” he says. ​

Karen Gallagher Grant, RHIA, CHP, chief operating officer at Medical Record Associates (MRA), LLC, a company that provides ROI services throughout New England, says the fees that ROI companies and providers charge attorneys accurately reflect the multi-step process of producing a record. These fees also comply with the OCR guidance stating that fee limitations do not apply when an authorization accompanies a request.

“People think it’s a matter of pushing a button. Nobody wants to hear that it’s more complicated. It just takes time,” she says, adding that this time is often spent accessing legacy systems and reviewing documentation to avoid releasing sensitive information. Hybrid records pose an additional challenge because information is not conveniently stored in one central location.

“What’s driving all of this is that third-party requesters don’t want to pay,” says Amy Derlink, RHIA, CHA, vice president of disclosure management at MRA. “They’re trying to exercise the rights of individuals under HIPAA. They’re taking advantage of provisions in the rule. In the end, covered entities incur the labor costs of releasing protected health information in a world that’s heavily regulated to protect patient privacy,” she adds.

The same is true for ROI companies, many of which, in turn, pass those costs on to the hospitals with which they work, she adds.

Ultimately, covered entities must devise a consistent and compliant strategy for handling attorney requests for information so they can charge appropriately. Following are four questions to consider.

  1. Who signed the directive? Was it the attorney or the patient? Fee limitations apply when the patient specifically directs the request, says Derlink.
  1. Is it a patient request or a HIPAA authorization? If it’s an authorization rather than a right of access, no fee limitations apply, says Derlink. Covered entities are also not required to disclose the information, nor are they bound to a 30-day timeliness requirement.
  1. Does the patient ultimately need a certified copy of his or her record? Only certified records are admissible in court, says Herrin. Certification indicates that the custodian of the record has reviewed the information and attests that it’s a true and accurate copy. “It’s a very important distinction. If it’s not certified, nobody in court sees it,” he adds. With that said, many organizations won’t release a certified copy directly to the patient because they can’t guarantee the chain of custody throughout the litigation process. When a certified copy is required (e.g., for a court proceeding), the request must come directly from the attorney, in which case the fee limitations wouldn’t apply, Herrin asserts.
  1. What does the patient actually want? HIPAA regulations permit covered entities to ask patients about the need they’re trying to address by obtaining a copy of their medical record. Covered entities often discover that patients don’t personally want their records—they’re simply making the request on behalf of their attorney. “In this circumstance, it seems fair to charge the attorney the higher non-patient rate. It’s the difference between initiating and forwarding the request,” Herrin says.
HIM’s Responsibility

Ultimately, the protection of patient information should always be a priority, says Derlink. “As HIM professionals, our job is to protect the confidentiality of the patient,” she adds. This may require an extra step to determine what the patient truly wants—especially when the attorney initiates the request.

To read more about the new HHS guidance, visit


Lisa Eramo ( is a freelance writer and editor in Cranston, RI, who specializes in healthcare regulatory topics, health information management, and medical coding.

1 Comment

  1. I have been searching EVERYWHERE for clarification on #3- if an attorney “forwards a patient request” (that is obviously from the attny but they are trying to avoid records fees) and the attny requests on the cover page that the records be “certified pursuant to… etc” then what does the HITECH act say about this? Are we required to “certify” records requested by the patient? You state that many organizations “won’t” but is there any legal push back on this? Are we required to if “the patient” asks?

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!