Best Practices for 42 U.S.C. 17935(e) HIPAA Right of Access

Right to Access Electronic Health Records

Scope and form of access

Under the HIPAA Privacy Rule, individuals have the right to access, inspect, and obtain copies of their Protected Health Information contained in the designated record set, including Electronic Health Records. This generally covers medical and billing records used to make decisions about a person, but excludes psychotherapy notes and information compiled for litigation.

Honor the individual’s preferred form and format when “readily producible.” Provide machine‑readable electronic copies (for example, PDF, text, or FHIR/CCD exports) when records are maintained electronically. Do not require in‑person pickup if a secure electronic option is available.

Identity verification without barriers

Use reasonable identity verification that does not create obstacles—such as portal authentication, knowledge‑based checks, or remote photo ID comparison. Avoid burdensome requirements like notarization or in‑person verification unless strictly necessary.

Security and transmission choices

Offer secure transmission methods by default. If an individual requests unencrypted email after being advised of risks, honor the request and document the individual’s direction. Do not withhold access due to unpaid bills or office policy conflicts.

Directing Transmission to Third Parties

Third‑party directives under 42 U.S.C. 17935(e)

Section 17935(e) of the HITECH Act allows individuals to direct that an electronic copy of their PHI in an EHR be transmitted to a designated third party. The directive should be in writing, signed by the individual, and clearly identify the recipient, the destination address (such as a Direct address, secure API endpoint, or mailing address if on media), and the specific information to be sent.

Operational safeguards

• Validate the request came from the individual (or personal representative) and that the destination details are complete and accurate.
• Use secure transport, such as Direct secure messaging or a certified API, when available. Document the date sent, method, and confirmation of successful delivery or any bounce/exception.
• Do not require the third party to submit an authorization when the request is properly patient‑directed; the individual’s directive is sufficient.

Fee Limitations for Access Requests

Reasonable, cost‑based fees only

Access Request Fees must be limited to a reasonable, cost‑based amount. You may include only: (1) labor for copying/creating the electronic copy, (2) supplies if physical media is requested (for example, USB drive), (3) postage if mailed, and (4) preparation of an agreed‑upon summary or explanation.

Prohibited charges

• No fees for search, retrieval, verification, records maintenance, or system access.
• No fees for using the patient portal to view, download, or transmit Protected Health Information (PHI).
• No “rush” or “handling” fees that are not tied to allowable labor or supplies.

Calculating fees transparently

• Actual cost: Calculate specific labor minutes for copying/transmission multiplied by a reasonable hourly rate, plus allowable supplies/postage.
• Average cost: Publish a schedule based on typical requests (for example, per‑request plus per‑gigabyte for exports) grounded in time‑motion studies.
• Flat fee (electronic copies delivered electronically): An optional flat fee up to $6.50 is commonly used as a simple, conservative approach.

Provide a clear, itemized estimate upon request and never condition access on fee prepayment unless your policy uniformly requires it and the fee is known.

Applicability of Fee Limits

When the cap applies—and when it does not

• Applies: Individual requests for copies of PHI for themselves, regardless of medium.
• Applies: Patient‑directed Third‑Party Directives for an electronic copy of PHI in an EHR to be sent to a third party under 42 U.S.C. 17935(e).
• Does not apply: Third parties requesting records on their own behalf with an authorization, subpoenas, or other legal process; in those cases, fees may follow other rules, subject to state law and HIPAA.

When both HIPAA and state law address fees, apply the more protective standard for individuals. Publish your fee policy and train staff to distinguish access requests from authorizations so the correct limits are applied consistently.

Compliance with Timeliness Requirements

Meeting deadlines without extensions

Provide access as soon as possible and no later than 30 days from receipt of the request. If records are off‑site or with a Business Associate, begin retrieval immediately; the same 30‑day clock still applies to the covered entity.

Using the single allowable extension

If you cannot meet the 30‑day deadline, you may take one 30‑day extension by sending the individual a written notice before the initial deadline that explains the reason for delay and a new date. Use extensions sparingly and track them.

Process controls that help

• Centralize intake and triage by request type (self, third‑party directive, legal request).
• Automate workflows via the patient portal or API to reduce manual steps.
• Provide partial, rolling fulfillments when portions are ready, documenting what remains outstanding.

Use of Certified EHR Technology

Leverage certified capabilities

Certified EHR Technology supports HITECH Act Compliance by enabling standardized exports and APIs for patient access. Use portal “view/download/transmit,” Direct secure messaging, and FHIR‑based APIs to deliver timely, machine‑readable PHI while maintaining audit trails.

Format and interoperability

Offer common formats that preserve clinical meaning and enable reuse—such as C‑CDA and FHIR resources—alongside human‑readable PDFs. Where practical, deliver discrete data and documents, not screenshots, to honor the individual’s form‑and‑format request.

Security and logging

Enable encryption in transit and at rest, maintain access logs, and routinely test export functions. Validate that third‑party apps connecting through APIs are properly authorized by the individual and that consent flows clearly explain data sharing.

Business Associate Responsibilities

Contractual and direct obligations

Business Associates that create, receive, maintain, or transmit PHI must support the covered entity’s access obligations. BA Agreements should require timely retrieval and delivery of electronic copies, cooperation with Third‑Party Directives, and adherence to fee limitations the covered entity must follow for individual access.

Operational expectations

• Provide exports from systems they host or manage in the form and format requested when readily producible.
• Maintain audit logs and confirmation of transmissions to the covered entity or the designated third party.
• Implement safeguards to protect PHI during extraction and transfer, and notify the covered entity of any delivery failures immediately.

Conclusion

Putting individuals first means delivering Electronic Health Records quickly, in the format they want, at a reasonable, cost‑based price. By honoring Third‑Party Directives, applying Access Request Fees correctly, leveraging Certified EHR Technology, and coordinating with Business Associates, you satisfy the HIPAA Privacy Rule while meeting the letter and spirit of 42 U.S.C. 17935(e).

FAQs.

What are the fee limitations under 42 U.S.C. 17935(e)?

Fees must be reasonable and cost‑based, limited to labor for copying, supplies for physical media, postage if mailed, and any agreed‑upon summary. For electronic copies delivered electronically, many providers use a simple flat fee (commonly up to $6.50) as a conservative approach. Costs like retrieval, verification, and system maintenance are not permissible add‑ons.

How does the right of access apply to electronic health records?

When PHI is maintained in an EHR, individuals can obtain an electronic copy in the form and format they request if readily producible, or in a mutually agreeable electronic format. They may receive it directly or direct the covered entity to send it to a third party, consistent with 42 U.S.C. 17935(e) and the HIPAA Privacy Rule.

Can individuals direct transmission of their PHI to third parties?

Yes. An individual may instruct the covered entity to transmit an electronic copy of PHI in an EHR to a designated third party. The directive should be written, signed, and specify the recipient and destination. The covered entity must act on the request and apply the same timeliness and fee rules that govern individual access, subject to the statute’s scope.

What are the timeliness requirements for providing access to PHI under HIPAA?

Covered entities must provide access as soon as possible and within 30 days of receiving the request. If an extension is necessary, they may take one additional 30 days by informing the individual in writing before the initial deadline, explaining the reason for delay and providing a new completion date.