Industry News Legal Management Updates

2023 HIPAA Privacy Rule Changes Will Impact Medical Record Retrieval

The Achilles’ heel for plaintiff litigation and personal injury cases is obtaining medical and billing records. Attorneys and the clients they serve wait too long, expend too much effort and pay too much for records, denying justice and delaying restoring an injured person’s life. Now for the good news: Changes to the HIPAA Privacy Rule in 2023 will address these issues. 

Jared Vishney

Before 1996, no uniform standard existed in the United States to obtain records. Many states and local governments had unique request requirements and fee schedules.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), outlining uniform rights and responsibilities for accessing, managing and securing protected health information (PHI). HIPAA was a significant step forward, but over time, deficiencies of HIPAA became apparent. Various congressional responses since then have aimed at alleviating some of these issues, the most recent of which was due this year, but has been delayed until March 2023.


Fundamental changes to the HIPAA privacy rule normalize the electronic health record definition, clarify privacy practices, provide transparency for access fees and reaffirm an individual’s access rights. Most importantly, a new section, §164.524(d), clearly describes the individual’s right to direct PHI in an electronic format to a third party and imposes a reasonable, cost-based fee for the record production. The section is critical for the legal community to get records from health care providers promptly and at a reasonable cost.

The access granted through Section §164.524(d) only applies to an electronic health record. The new definition covers the same scope as the “individually identified information” defined in Section §160.103. It removes previous ambiguity and includes everything about the individual's past, present and future health care, provisioning of care, and all payments related to the individual’s care. However, if the information is not stored electronically, it will not be subject to the rule. In the event a provider still relies on paper records or has information stored outside the electronic health record system, access is granted with a standard third-party authorization form.

A health care provider may require a written request to access PHI. Still, it cannot create an unreasonable measure that impedes access to PHI. Requiring an individual to complete an extensive third-party authorization form in lieu of a proper individual right of access request is an unreasonable measure. Other unreasonable measures include requiring a notarization, only accepting paper submissions, only accepting in-person requests or only accepting requests through the provider’s online portal.

Under the new rule, a health care provider’s time to respond is reduced. Once it goes into effect, providers must act upon the request as soon as practical, but not later than 15 calendar days. However, providers are entitled to one 15-calendar-day extension if they explain the delay and commit to a response date. In other words, providers will not be able to drag out their reply for months. It will force health care providers to manage their release of information process and address inefficiencies.

The most significant change aligns the cost of electronic records with the effort required to produce an electronic copy. If an individual requests a copy of their records delivered to them electronically, the new rule dictates that the reasonable, cost-based fee is limited to labor. Even if a provider sends it to them on a CD through the postal service, the provider can only charge for the labor component. The provider cannot charge for the media, envelope, mailer, labels or other miscellaneous items.

The cost-based fee, limited to labor, will also apply to an electronic copy in an electronic health record directed to a third party. Providers and release of information vendors should not be profiteering by being PHI gatekeepers and charging hundreds or thousands of dollars for a PDF file.

Skip to content


Stop using third-party HIPAA Authorization forms. Authorizations issued under HIPAA 45 CFR §164.508 are permission slips that leave the provider in control and do not hold them accountable. The HIPAA Privacy Rule and most states’ revised statutes do not have a specific timeframe for a provider to respond, thus there is no recourse for noncompliance.

Start using an individual right of access request issued under HIPAA 45 CFR §164.508. It is a directive that puts attorneys in control of the process. The provider must release the information or respond to the access request within 30 calendar days. Non-compliance is a potential HIPAA Privacy Rule violation and is subject to an investigation, fines and penalties from the Office of Civil Rights (OCR).

There will always be some follow-up because providers do not always do what they are supposed to do. However, the law is on your side. Any conversation with a provider will no longer be about the request status but rather the potential HIPAA Privacy Rule violation and what the provider will do to fix it. It puts the responsibility for providing timely access to protected health information where it belongs — with the provider.

Until the final action for the HIPAA Privacy Rule modification is taken, consider using the individual right of access request. It will reduce the time and effort to get medical and billing records for your cases today and prepare you for the future.