• Obtaining Medical Records for Litigation
    Author Name (1) 12/12/12 Company Link
  • BA Contracts Between Covered Entities
    Author Name (2) 12/12/12 Company Link
  • Ransomware & Protected Health Information

    Imagine this. You arrive at your healthcare practice ready to start the day. Before your first appointment, you turn on your computer expecting to answer a few emails. But instead of the icons that usually dot your desktop... Read more

    By Roman Diaz 12/2/15
  • Why an Audit Trail is Important

    According to Fundamentals of Law for Health Informatics and Information Management, an audit trail is basically a "...record that shows who has accessed a computer system, when it was accessed, and what operations were performed." Read more

    By Roman Diaz 06/11/15
  • Is Texting Allowed by HIPAA?

    HIPAA compliance doesn't expressly require the use or avoidance of any specific modes of communication. In fact, the law doesn't even mention texting PHI! Read more

    By Roman Diaz 12/2/15

Obtaining Medical Records

Karen Darnall, Feb '16, CITATIONS is the official publication of the Ventura County Bar Association

If medical facts are important to your case, it is important to grab the right end of the stick. A person can access medical records or agree to disclose them. You should also consider differences between HIPAA and California law.

HIPAA requires "...appropriate sanctions against workforce members who fail to comply with the security policies and procedures

Business Records

The subpoena is a way to compel disclosures of medical information. Medical records are business records and "personal records" under CCP § 1985.3. The request must be relevant to the lawsuit, and the subpoenaing party must send a "notice to consumer" to allow the individual an opportunity to protect him or herself.

The subpoena is a blunt instrument. HIPAA gives patients the right to request "restrictions" for highly sensitive records but the provider does not have to agree. When the subpoena arrives, everything will be copied unless the patient gets a protective order.

PAHRA Access

The Patient Access to Health Records Act (PAHRA) allows patients to access their own records—and quickly. California law provides the right of "…inspection during business hours within five working days…" After costs are paid, the provider must "…ensure that the copies are transmitted within 15 days..." Moreover, the patient may be "…accompanied by one other person of his or her choosing." (H&S C. § 123110)

HIPAA allows providers up to 30 days to respond to patient requests. But California's 5-day-rule provides "greater rights of access" and is more "stringent" and therefore, state law is not preempted by HIPAA.

PAHRA does not require any particular form of writing. If the patient wants to inspect every record, they should ask for the "designated record set" defined by HIPAA. (42 CFR §§ 164.501, 164.524(c))

CMIA Disclosures

California's Confidentiality of Medical Information Act (CMIA) was enacted in 1981 to regulate medical practitioners and insurance companies. CMIA was a prototype for HIPAA in 2002. The original HIPAA rule required providers to obtain written consents pertaining to "protected health information." This turned out to be a bad idea. Consequently, HIPAA adopted CMIA's "permitted" use classifications and deleted the consent requirement.

The CMIA authorization is for disclosing records. (Civil Code § 56.11) It diverges from HIPAA by requiring a specific date (not an event) for terminating the authorization. It also allows handwriting. When the authorization is printed, it must have"…typeface no smaller than 14-point type."

It is important to note: Workers compensation is exempt from HIPAA (but not CMIA).

Evidence Code § 1158 (revised)

California lawyers can obtain medical records by writing a letter and submitting the client's signed authorization by mail. The Legislature amended Section 1158 last year and removed a major headache for lawyers. Some providers would refuse the attorney's authorization and required the patient to sign the provider's authorization. The extra step caused significant delay. The law now requires medical providers to accept the statutory form.

Section 1158 also has teeth. If the medical provider fails to make records available, the attorney can get an OSC for non-production of records. The enforcement statute CCP § 1985.7 provides, "The court shall impose monetary sanctions pursuant to Section 1158 unless it finds…the imposition of the sanction unjust."

Electronic Records

HIPAA was modified in 2013, to give patients access to electronic medical records (EHRs). But the regulation is short on details. It says, the provider must send "…a readable hard copy form or such other form and format as agreed to by the covered entity and the individual."

HIPAA requires "...appropriate sanctions against workforce members who fail to comply with the security policies and procedures

EHR technology is evolving and gaps are yet to be filled. Neither CMIA nor PAHRA mentions electronic records. The Evidence Code mentions records "maintained electronically" but provides no standards for transferring data. As said by rule makers in 2012, HIPAA does not require providers to scan paper documents. Providers should also reject portable media brought by patients (particularly flash drives) due to security risks. (78 FR 5633)

Patient Representatives

HIPAA recently made it easier for caregivers to get copies of records. A patient can ask the provider to send copies of medical records to anyone they want. The request must "…clearly identify the designated person and where to send…" the records. Strictly speaking, the written request is for access —not disclosure. But most providers use the same form for both purposes.

According to HIPAA, the authorization form must include "…a description of such representative's authority to act for the individual." State law determines who may act as the surrogate.

If a child is old enough to consent to a particular medical procedure, he or she can prevent parents from seeing their records. The Family Code grants minors the right to make certain health care decisions for themselves

If an elderly patient lacks capacity to make healthcare decisions, the personal representative could be a family member or friend, or the person named in the Advance Directive. If the patient is placed in a facility, the attending physician must determine who has legal authority by interviewing the patient, reviewing records, consulting nurses and talking to family members. (H&S Code § 1418.8)


Cost reimbursement can be a sticking point. HIPAA allows providers to charge "…reasonable, cost-based fees…" California has conflicting standards. The Evidence Code allows 10 cents per page and $16 per hour for clerical costs—yet PAHRA allows 25 cents for letter-size documents and "reasonable clerical costs."

A provider could actually make $25 per minute with a 100-page/minute scanner. But a rate that is not "cost-based" would be preempted by HIPAA's "reasonable" standard.

Use the Right Stick

If no lawsuit is pending, access is the easiest way to get medical records. Use the provider's form. Ask for an estimate and explanation of charges. If your client has special privacy concerns, use Evidence Code § 1158 and request "all" records. Send a professional copyist to the provider's office. Review records carefully before you file the complaint.

Search Our Site

    © Darnall Law Office 2015