Understanding HIPAA, patient privacy laws, and medical records requests

As a Houston, Texas medical malpractice lawyer, my office deals with medical records constantly. In doing so, we deal with the federal HIPAA law every day.

HIPAA is a short name for the Health Insurance Portability and Accountability Act of 1996. It became law in a period when electronic information was still emerging, and was aimed at ensuring patient privacy. The law defines covered entities, which include healthcare providers like hospitals and doctors, and requires them to implement privacy standards and security standards for “protected health information.”

Overall, I believe that HIPAA is a good law that helps maintain the confidentiality of our personal protected health information. From time to time, patients and family members call our office because they are angry about an improper disclosure of their protected health information. Often, they want to sue the hospital or doctor’s office who they believe violated HIPAA.

Unfortunately, the HIPAA statute does not create a private federal cause of action for patients, which means that they cannot file a lawsuit. I recommend that patients file a complaint about a potential HIPAA violation with the U.S. Department of Health & Human Services.

Some states, not including Texas, though, have been moving toward recognizing the federal HIPAA law as the relevant standard of care for state law breach of privacy claims. The Connecticut Supreme Court has actually declared that HIPAA establishes the standard of care, while nine other states have considered HIPAA and evaluating the standard of care.

HIPAA and medical records

One of the other ways that HIPAA comes up in our practice is medical records requests. Since HIPAA became law, healthcare providers have been required to obtain a medical records authorization from patients or their representatives, before releasing medical records.

While this is a good practice that minimizes the risk of accidental disclosure, hospitals and offices vary in their requirements for such authorizations.

We have encountered some Houston-area hospitals that have refused proper records requests because the patient signature on the authorization does not adequately match, and in the hospital’s opinion, the patient signature found within the hospital’s medical records.

Other facilities insist on having a patient or representative use the hospital’s own HIPAA-compliant medical records authorization form.

When it comes to a deceased patient, hospitals widely vary in terms of whom they will accept as a representative for the purpose of signing a medical records request.

While I believe that all of these roadblocks are unreasonable and could be challenged, I generally think the better and more time-conscious approach, whenever possible, is to accommodate the facility requests.

New laws and medical records

Many of our clients and potential clients expressed frustration and dismay at the cost and length of time it takes to obtain their medical records.

There are two relatively new laws that we have found helpful, when it comes to medical records requests.

The federal HITECH Act, which is short for the Health Information Technology for Economic and Clinical Health Act of 2009, caps the excessive fees that some healthcare providers attempt to charge for providing medical records. Under this law, covered entities may charge a flat fee of up to $6.50, or use other options that are based on actual allowable costs. Using this law, we challenged a medical records invoice from a suburban Houston hospital that was over $3,000, and got it reduced to $6.50.

In terms of timing, Texas House Bill 300, which is codified at Texas Health & Safety Code chapter 181, imposes a 15-day deadline for producing medical records in response to a patient request. If the healthcare provider has electronic medical records that are capable of fulfilling the records request, then they must be produced within 15 days of receiving the request, and electronic format, unless the patient agrees to another form.

We are here to help

At Painter Law Firm, in Houston, Texas we understand medical records because we represent patients and family members in medical malpractice and wrongful death actions. For a free evaluation of your potential case, call us at 281-580-8800.

Additional resources

Painter Law Firm's HITECH Act medical records form letter

U.S. Department Health & Human Services support letter


Robert Painter is an attorney at Painter Law Firm, in Houston, Texas. He is a former hospital administrator who represents patients and family members in medical malpractice and wrongful death lawsuits against hospitals and physicians.

Robert Painter
Article by

Robert Painter

Robert Painter is an award-winning medical malpractice attorney at Painter Law Firm Medical Malpractice Attorneys in Houston, Texas. He is a former hospital administrator who represents patients and family members in medical negligence and wrongful death lawsuits all over Texas. Contact him for a free consultation and strategy session by calling 281-580-8800 or emailing him right now.