Compliance Checklist: HITECH Act Allowable Fees Versus State Law Limits

Overview of HITECH Act Fee Regulations

Under HIPAA as amended by the HITECH Act, you must follow a reasonable, cost-based fee approach when an individual requests access to their own protected health information (PHI). This protected health information fee structure limits charges to the actual cost of fulfilling the request, not what the market will bear.

Allowable components in a cost-based fee calculation include only: labor for copying (paper or electronic), supplies for creating the copy (such as paper, CD, or USB), postage if mailing, and preparation of a summary or explanation if the individual specifically asks for it. You may not charge for searching, retrieving, verifying, maintaining systems, or other overhead.

When you maintain an electronic health record (EHR) and the individual requests an electronic copy, electronic health record copying fees must reflect the minimal labor needed to produce and transmit the file. Per‑page pricing for e‑copies is generally inconsistent with a cost-based method.

Be mindful of request type. The HIPAA Right of Access “patient rate” applies to requests made by the individual (including certain third‑party directions tied to EHR data). Other legal processes—such as subpoenas or insurer requests outside the Right of Access—may follow different fee rules, often informed by state law.

State Law Fee Limits and Variations

States commonly set explicit maximums for PHI copying fees—often per‑page rates for paper, fixed amounts for media, and separate charges for radiology images. Some states also address turnaround times, itemized invoices, and caps on retrieval fees.

These limits vary widely and may distinguish between requests from patients, attorneys, insurers, or government entities. Several states restrict or prohibit retrieval fees for patient access, while permitting them for other request types. Others provide lower maximums for electronic copies or require free portal downloads.

Because state regimes differ, you should map each facility’s jurisdictional rules and update that map regularly. Document whether a state schedule is more permissive or more restrictive than a federal cost-based approach for each request scenario.

Harmonizing Federal and State Fee Requirements

HIPAA preempts contrary state requirements unless a state rule is “more stringent” for privacy or individual access. In practice, you should apply the rule that results in the lower, more consumer‑protective charge when federal and state provisions conflict—a pragmatic way to handle federal-state fee preemption while honoring health information privacy regulations.

A practical decision path

• Identify the requester and authority: patient Right of Access, third‑party directive tied to EHR, legal process, insurer, or other.
• Identify the format: paper, electronic copy of EHR, other electronic PHI, images/films, or portal download.
• Apply HIPAA/HITECH cost-based rules to patient access requests; exclude search/retrieval and general overhead.
• Check the state schedule: per‑page caps, media fees, retrieval allowances, and any patient‑specific discounts or prohibitions.
• Charge the lower result when rules conflict, and avoid per‑page pricing for e‑copies under Right of Access.

Cost-based fee calculation

• Labor: only the time to copy and transmit (e.g., locate file, export, redact as required by law, and send via the chosen method).
• Supplies: proportionate cost of paper, envelope, CD/USB, or other media actually used.
• Postage: actual mailing or shipping cost if the individual chooses mail.
• Optional summary: only if requested, at an agreed reasonable cost.

Documentation and transparency

• Maintain written fee schedules for paper and e‑copies, including how you compute labor rates.
• Publish plain‑language notices to patients about expected costs and free options (e.g., portal access where available).
• Keep itemized invoices showing each cost-based element and the applicable legal basis.

Penalties for Non-Compliance with HITECH Act

Failure to follow the Right of Access fee rules can trigger federal enforcement. OCR has pursued audits, corrective action plans, and settlements under its Right of Access initiative. Non-compliance financial penalties follow a tiered civil monetary penalty framework that considers the level of culpability and corrective action.

Beyond fines, you risk mandated policy revisions, staff retraining, external monitoring, and reputational harm. Repeated violations or refusals to reduce unlawful charges can increase exposure under civil penalty enforcement mechanisms.

State Law Penalties and Enforcement

States may impose separate penalties for overcharging, unfair billing practices, or failure to honor patient access rights. Enforcement pathways include attorney general actions, health department sanctions, and, in some jurisdictions, private lawsuits seeking statutory damages and attorneys’ fees.

Professional licensing boards and consumer protection laws can also come into play. Align your practices so they satisfy both federal standards and any stricter state requirements to avoid stacked penalties.

Best Practices for Compliance with Fee Regulations

• Create a unified policy that embeds the cost-based method, integrates state caps, and distinguishes request types.
• Standardize workflows for e‑copies from EHR to minimize labor and reduce electronic health record copying fees.
• Automate portal delivery when possible; default to electronic transmission unless the individual requests paper.
• Train release-of-information staff on prohibited charges (search/retrieval, verification) versus allowable elements.
• Vet business associates and vendors to ensure their invoices follow your protected health information fee structure.
• Audit invoices quarterly, remediate outliers, and refund overcharges promptly.
• Provide clear estimates upfront and offer no‑cost options where feasible.

Conclusion

To stay compliant, anchor every patient access request in a cost-based fee calculation, then overlay any stricter state caps. Document your logic, itemize charges, and prefer electronic delivery. This harmonized approach reduces risk, supports patient trust, and aligns with both HITECH and state requirements.

FAQs.

What fees are allowable under the HITECH Act for PHI copies?

You may charge only for labor to copy and transmit the PHI, supplies actually used (paper, CD, USB), postage if mailing, and an optional summary if the individual requests it. You may not bill for search, retrieval, verification, or general overhead unrelated to copying.

How do state laws affect allowable PHI copying fees?

State schedules set maximums and sometimes ban retrieval fees for patient requests. If a state rule is more protective—such as a lower cap—it controls; otherwise, the HIPAA/HITECH cost-based standard governs. Always choose the approach that yields the lower, compliant charge for the specific request.

What penalties apply for non-compliance with HITECH Act fee regulations?

OCR can require corrective actions, levy tiered civil monetary penalties, and monitor future compliance. Persistent or willful violations increase exposure and can lead to settlements, audits, and reputational harm.

How can covered entities ensure compliance with both state and federal fee limits?

To ensure compliance, covered entities can use a decision tree: identify the requester and format, apply the cost-based method for patient access, compare to any state cap, and charge the lower amount. Maintain written policies, train staff, automate e‑copy delivery, and audit invoices regularly to prevent overcharges.