42 U.S.C. 17935(e) Checklist: Electronic Copies, Third-Party Designees, Fees

Individual's Right to Electronic Copies

When a covered entity uses or maintains an electronic health record (EHR), 42 U.S.C. 17935(e) guarantees an individual the right to receive an electronic copy of their protected health information. HIPAA’s access rule at 45 C.F.R. § 164.524 governs how you fulfill that request, including timing, form, and format. Practically, this is the core of health information access for electronic health information held in an EHR.

Checklist

• Confirm you are a covered entity and the request targets PHI maintained in an EHR or other electronic system.
• Accept written or electronic requests without creating barriers; verify identity in a reasonable, nondisruptive way.
• Provide the copy in the electronic form and format requested if readily producible; otherwise, provide a readable alternative the individual agrees to.
• Meet the 30-day deadline (with one additional 30-day extension if you give written notice explaining the delay).
• Document fulfillment, including what was provided, the format, and the date sent.

Directing Copies to Third Parties

Under 42 U.S.C. 17935(e)(1), an individual may choose to have an electronic copy sent directly to another person or entity. This third-party designation must be clear, conspicuous, and specific. HIPAA also requires the request to be in writing, signed by the individual, and to identify the designee and destination (45 C.F.R. § 164.524(c)(3)(ii)).

Following a 2020 federal court decision and subsequent HHS notice, the HIPAA-required third-party directive applies where the request is for an electronic copy of PHI in an EHR. Requests outside that scope (for example, non‑EHR materials) may be handled under other HIPAA permissions (such as an authorization) or organization policy.

Checklist

• Obtain a written, signed third-party designation that clearly names the recipient and delivery address or endpoint.
• Confirm the request involves an electronic copy from an EHR to fall squarely within 42 U.S.C. 17935(e).
• Transmit using a secure, agreed method; note the date, method, and recipient in your records.
• If the request targets information outside the EHR scope, determine the proper pathway (e.g., HIPAA authorization) before sending.

Fee Limitations for Electronic Copies

Two fee frameworks may apply. First, HIPAA allows only a reasonable, cost‑based fee limited to specific elements when individuals request copies (45 C.F.R. § 164.524(c)(4)). Second, for electronic copies provided from an EHR under 42 U.S.C. 17935(e)(3), any fee may not exceed the entity’s labor costs in responding—often referred to as a labor cost fee cap.

What you may charge (personal requests)

• Labor for copying (paper or electronic) and, if requested and agreed, labor to prepare a summary or explanation.
• Supplies for creating the copy (e.g., paper, CD, USB) and postage if mailed.
• No search, retrieval, verification, infrastructure, or archival fees. Per‑page fees are not appropriate for electronic copies.
• Optional: a flat fee not exceeding $6.50 for electronic copies of PHI maintained electronically (when you prefer not to calculate actual or average allowable costs).

Additional constraint for EHR electronic copies

• When fulfilling an electronic copy from an EHR under 42 U.S.C. 17935(e), the total fee must not be greater than your labor cost to respond.

Third-party designations and fees

• HIPAA’s “patient rate” cost-based fee limits do not apply to an individual’s directive to send records to a third party. Apply the EHR labor-cost cap when providing the copy to the individual; use appropriate, lawful pricing for third‑party transmissions consistent with current rules and organizational policy.

Applicability to Business Associates

A business associate may be tasked—by contract—to produce electronic copies to the covered entity, to the individual, or to an individual’s designee so the covered entity can satisfy its access obligations. Business associates are directly liable for certain HIPAA violations and must support timely, secure fulfillment. At the same time, HIPAA’s fee‑limit enforcement remains the covered entity’s responsibility when a business associate performs access services on its behalf.

Checklist

• Ensure the business associate agreement (BAA) requires the business associate to produce electronic PHI in the requested form and format and to transmit to an individual’s designee when directed under the BAA.
• Track and enforce access timelines; require logging of what was sent, to whom, when, and how.
• Clarify in the BAA how fees will be calculated and billed so the covered entity’s obligations under 45 C.F.R. § 164.524 and 42 U.S.C. 17935(e) are met.
• Require appropriate safeguards for all transmissions and maintain auditable records of fulfillment.

Regulatory References

• 42 U.S.C. 17935(e) (HITECH): Right to electronic copies from an EHR; third‑party designation; labor cost fees.
• 45 C.F.R. § 164.524: HIPAA right of access—scope, timing, form and format, third‑party request elements, and reasonable, cost‑based fees.
• HHS OCR notice (January 28, 2020) reflecting Ciox Health, LLC v. Azar: third‑party directive limited to EHR electronic copies; HIPAA’s cost‑based fee limit applies to the individual’s own access request.

Conclusion

To comply with 42 U.S.C. 17935(e), deliver electronic copies from the EHR promptly, honor clear third‑party designations for EHR data, and price copies within the applicable limits—HIPAA’s cost‑based framework for individual requests and the labor‑cost cap for EHR electronic copies. Align your business associate processes and BAAs so every access pathway works smoothly, securely, and on time.

FAQs

What rights do individuals have to electronic copies under 42 U.S.C. 17935(e)?

Individuals have the right to obtain an electronic copy of their PHI maintained in a covered entity’s EHR and to receive it in the requested electronic form and format if readily producible. HIPAA’s access rule (45 C.F.R. § 164.524) supplies the timing and procedural details, including the 30‑day deadline (with one permissible 30‑day extension).

How can individuals direct copies to third parties?

They submit a written, signed request that clearly identifies the third‑party designee and where to send the information. The HIPAA‑required third‑party directive applies to electronic copies from an EHR. Requests outside the EHR‑electronic scope may be handled under other HIPAA permissions (for example, via authorization) or organizational policy.

What fees are permissible for electronic copies?

For an individual’s own request, HIPAA permits only a reasonable, cost‑based fee limited to copying labor, supplies, postage (if mailed), and, if requested and agreed, labor to prepare a summary or explanation. For electronic copies from an EHR under 42 U.S.C. 17935(e), any fee must not exceed the entity’s labor costs. The HIPAA “patient rate” fee cap does not apply to an individual’s directive to send records to a third party. Per‑page fees and search/retrieval charges are not appropriate for electronic copies.

Are business associates required to comply with these provisions?

Yes, as specified in the business associate agreement. Business associates must provide electronic PHI to the covered entity, the individual, or the individual’s designee when the BAA requires it, support the 30‑day timeline, and safeguard transmissions. While a business associate may perform the service, the covered entity remains responsible for ensuring any fees charged for access comply with 45 C.F.R. § 164.524 and the labor‑cost limitations tied to EHR electronic copies under 42 U.S.C. 17935(e).