Fee-for-Service HIPAA Compliance: What Providers Need to Know

Operating in a fee-for-service environment means you rely on efficient, compliant workflows. When patients request access to their records, you must calculate and disclose fees that meet the HIPAA Privacy Rule while supporting operational sustainability.

This guide clarifies what Covered Entities may charge, how to structure a Reasonable Cost-Based Fee, and how state rules intersect with federal requirements for Protected Health Information (PHI).

Fee-for-Service Payment Model Overview

In fee-for-service (FFS), you are paid for each discrete service you provide. That transaction-heavy model touches your medical records processes, because patient access requests and record fulfillment create labor and cost you must manage carefully.

HIPAA does not change your FFS reimbursement, but it does control what you may charge patients for copies of their PHI. Understanding where PHI access work fits in your revenue cycle helps you budget staff time, choose efficient delivery channels, and avoid noncompliant fees.

HIPAA Privacy Rule Fee Regulations

The HIPAA Privacy Rule gives individuals a right to access, inspect, and obtain copies of their PHI. You may charge only a Reasonable Cost-Based Fee for fulfilling those requests, limited to specific, itemized components tied to making and transmitting the copy.

Key principles you must follow as a Covered Entity include: charge only for PHI Copying Labor, supplies for the format requested, and postage when mailing. Do not charge for record retrieval, verification, documentation, storage, or maintaining a patient portal. Per-page fees are not permitted for ePHI.

You may calculate fees using one of three methods: actual cost for the specific request, a schedule of average costs supported by time studies, or the HIPAA Fee Flat Rate option for eligible electronic deliveries described below.

Permissible Fee Components and Limits

What you may include

• PHI Copying Labor: time spent creating and transmitting the copy (locating within the designated record set, exporting from the EHR, scanning paper to electronic, converting file types, attaching to secure email, or uploading to a portal at the patient’s request).
• Supplies: paper and toner for printed copies; or the actual cost of portable media (e.g., CD, DVD, or USB) if the patient specifically requests that medium.
• Postage: actual mailing cost when the patient asks for mailed copies.

What you must exclude

• Search, retrieval, verification, and “chart pull” fees.
• Costs to maintain systems, portals, licenses, subscriptions, or EHR infrastructure.
• Per-page charges for electronic records (ePHI), regardless of record length.

For paper or film records, any per-page charge must reflect your true copying labor and supply costs and may not exceed applicable State Fee Authorization caps when those caps are more protective of the patient.

Flat Fee Option for Electronic PHI Copies

The HIPAA Fee Flat Rate allows you to charge a single flat amount of up to $6.50 when: (1) the individual requests an electronic copy, (2) the PHI is maintained electronically, and (3) you deliver it electronically (for example, secure email, portal download upon request, or a secure app).

Use this option only for individual access requests delivered electronically. It does not apply to paper copies, to deliveries on physical media, or to third-party requests that fall outside the HIPAA right of access workflow. You may always choose to charge less than $6.50 or use actual/average-cost methods if they yield a lower, supportable total.

State Fee Schedule Compliance

State laws may set specific caps or schedules for medical record copy fees. When state and federal rules differ, follow the rule that is more protective of the individual’s access rights. In practice, that means HIPAA’s limitations control if a state permits higher charges, while a lower state maximum can function as your ceiling.

For ePHI, HIPAA preempts any state framework that would permit per-page pricing. For paper copies or film, check your State Fee Authorization statutes and fee schedules, but still ensure your charges reflect a Reasonable Cost-Based Fee rather than defaulting automatically to a higher state maximum.

Calculating Reasonable Fees

Step-by-step method

1. Classify the request: individual access vs. other (e.g., attorney, insurer). The HIPAA right of access fee limits apply to the individual’s request.
2. Select a calculation method: actual cost, an average-cost fee schedule supported by time studies, or the flat fee (for eligible ePHI delivered electronically).
3. Itemize PHI Copying Labor: record the tasks performed and minutes spent; multiply by a reasonable, supportable labor rate for the staff performing the work.
4. Add supplies: paper/toner or the actual unit cost of requested media (CD/DVD/USB). For pure electronic delivery, supply cost is typically $0.
5. Add postage only when the patient asks for mailed delivery, using the actual postage amount.
6. Verify exclusions: remove any retrieval, verification, or system maintenance charges.
7. Disclose the fee in advance upon request, and provide an itemized invoice on delivery.

Worked examples

• Electronic delivery from EHR to secure email: 8 minutes of PHI Copying Labor at your documented rate + $0 supplies + $0 postage. If your calculated total is $4.80, you may charge $4.80, or you may elect the HIPAA Fee Flat Rate (≤ $6.50) if you use that method consistently.
• Paper copy, 25 pages mailed: 10 minutes of PHI Copying Labor + paper/toner at your actual per-page supply rate + actual postage. Ensure the total aligns with any applicable state cap if the cap is lower than your calculation.

Documentation and Compliance Best Practices

• Maintain written policies describing your Reasonable Cost-Based Fee, including when you use actual cost, average-cost schedules, or the flat fee for electronic copies.
• Build an auditable fee schedule using time studies for common request types and delivery methods; refresh it periodically as workflows or staffing change.
• Provide patients with advance notice of fees on request and itemized receipts that clearly label PHI Copying Labor, supplies, and postage.
• Train front-desk, HIM, billing, and compliance staff to avoid unallowable fees (e.g., search/retrieval) and to escalate unusual scenarios.
• Standardize secure, low-cost electronic delivery channels to reduce labor and supply expenses while improving turnaround times.
• Retain Compliance Documentation (policies, time studies, invoices, patient communications) for your records retention period and during any audit.

Conclusion

In a fee-for-service setting, aligning HIPAA right-of-access fees with precise labor, supply, and postage costs protects patients and reduces compliance risk. Use electronic delivery when possible, document your methodology, and apply the most patient-protective rule when state and federal requirements differ.

FAQs

What fees can providers charge under HIPAA for PHI copies?

You may charge only a Reasonable Cost-Based Fee covering PHI Copying Labor, supplies for the requested format (paper or requested media), and postage when mailing. You may not bill for retrieval, verification, storage, portal maintenance, or other overhead unrelated to making and sending the copy.

How does the flat fee option work for electronic PHI?

If the individual requests an electronic copy of PHI that you maintain electronically and you deliver it electronically, you may charge a single flat fee not to exceed $6.50. This is optional; you can instead use actual or average-cost methods when they produce a lower, supportable amount.

Are search and retrieval costs billable under HIPAA?

No. HIPAA prohibits charging for search, retrieval, verification, or similar activities. Your fee must be limited to copying labor, applicable supplies, and postage when requested by the patient.

How should providers document fees to ensure HIPAA compliance?

Create written policies, keep time studies supporting your average-cost schedule, record actual labor minutes for outlier requests, and issue itemized invoices. Retain Compliance Documentation—policies, calculations, and receipts—to demonstrate that each charge reflects a Reasonable Cost-Based Fee.