HITECH Act 42 U.S.C. §17935(e) Explained: Electronic Access Requirements

Overview of HITECH Act Access Rights

Section 17935(e) of the HITECH Act strengthens HIPAA by giving you electronic access rights to your protected health information (PHI) when a covered entity uses or maintains an electronic health record (EHR) about you. In plain terms, if your provider or health plan keeps an EHR, you can obtain an electronic copy of your information and, if you choose, have it sent to someone else you designate.

These electronic access rights operate alongside HIPAA’s broader right of access to your designated record set (for example, medical and billing records maintained by or for the covered entity, excluding psychotherapy notes and information compiled for legal proceedings). Together, they help ensure timely, portable access to your electronic health records.

• Electronic copy: You can request an e-copy of PHI maintained in an EHR.
• Form and format: The copy should be provided in the electronic form and format you request, if readily producible, or in a readable alternative you agree to.
• Third-party direction: You may direct the covered entity to transmit your e-copy to a designated person or entity.
• Fee limitations: Any fee must be cost-based and limited to labor for copying and applicable supplies or postage.
• Timeliness: HIPAA’s right-of-access timelines apply to fulfilling electronic access requests.

Electronic Health Record Access Procedures

Covered entities should maintain clear, user-friendly procedures for electronic access. You should be able to submit a request electronically (such as through a patient portal or secure email), by mail, or in person, and you should not face unnecessary steps or in-person requirements when an electronic option is feasible.

• Intake and verification: Accept requests in writing (paper or electronic) and verify identity in a reasonable, non-burdensome way.
• Scope confirmation: Clarify the PHI sought (date ranges, specific documents, or data types) within the designated record set to avoid under- or over-disclosure.
• Form and format: Honor the requested electronic form and format if readily producible (for example, portal download, direct secure message, PDF, or machine-readable files); otherwise agree on a readable alternative.
• Transmission method: Send through the agreed secure method. If you request an unencrypted method after being advised of risks, the entity should honor your choice.
• Timeliness: Respond within HIPAA’s access timeframe (generally 30 days, with one permissible extension if documented).
• Coordination with vendors: If a business associate hosts the EHR, the covered entity must coordinate to fulfill the request; you should not be redirected to the vendor.
• Documentation: Record the request, the identity verification step, the form/format provided, the transmission method, and any fees charged.

Requirements for Request Clarity and Specificity

Clear requests help the covered entity meet your needs quickly and accurately. Request specificity requirements are especially important when you want a particular subset of records or a particular format or transmission method.

• Identify yourself and the recipient (if any) with sufficient detail to ensure the correct records go to the right place.
• Specify the scope (for example, “all lab results from January 1 to March 31” or “the full visit note for June 10”).
• State the desired electronic form and format (for example, PDF, CCD/C-CDA, or machine-readable data) and the preferred transmission method.
• Provide the complete destination details (such as a secure email address or endpoint) and a phone or email for follow-up questions.
• Sign the request if you are directing transmission to a third party; a written, signed request that clearly identifies the recipient and where to send the e-copy is required.

Specificity avoids delays, repeat requests, and accidental over-disclosure, and it helps ensure the production aligns with the designated record set and your electronic access rights.

Direct Transmission to Designated Recipients

Under 42 U.S.C. §17935(e), you may instruct a covered entity to transmit your electronic copy directly to a designated person or entity. Your direction must be in writing, signed, and clearly identify the intended recipient and the destination (for example, a secure email address or health information exchange endpoint).

This patient-directed transmission right is focused on PHI maintained in an electronic health record (EHR). When PHI lies outside the EHR, HIPAA’s broader access pathways still apply, but the mechanics may differ. Covered entities should not require a HIPAA authorization if your written, signed direction meets the statute’s conditions.

• Privacy and security: The entity should use a secure method when possible and document your preference if you choose a less secure option.
• Accuracy checks: Reasonable steps to confirm recipient details reduce misdirected transmissions.
• Scope control: Limit the disclosure to what you specify, consistent with the designated record set and your request.

Permissible Fees and Cost Limitations

Fee limitations are strict. Any fee for an electronic copy under §17935(e) must be reasonable and cost-based, limited to the covered entity’s labor for copying the PHI into the requested electronic form and format, plus the cost of electronic media (if provided) or postage (if mailed). If you ask for a summary or explanation, the entity may charge for preparing it, but only if you agree in advance.

Charges that are not tied to the act of copying and transmitting—such as retrieval fees, subscription or maintenance fees, or per-page fees for electronic copies—are not appropriate. The entity should calculate labor based on the actual time to locate (if needed), compile, and produce the e-copy in the requested format, not on a flat or punitive rate unrelated to the work performed.

• Allowed: Labor to generate the e-copy, reasonable cost of a USB or CD (if requested), and postage for mail.
• Not allowed: Fees for searching or retrieving records, gateway or portal access fees, or markups unrelated to copying labor.
• Transparency: Provide an itemized estimate on request and obtain your agreement if optional services (like summaries) involve extra cost.

Compliance Obligations for Covered Entities

Covered entity obligations include building processes that deliver fast, accurate, and secure access. Policies should be written, accessible to staff, and aligned with both §17935(e) and HIPAA’s right-of-access standards.

• Policies and training: Establish workflows for intake, identity verification, form/format handling, and third-party transmissions; train staff routinely.
• Deadlines and tracking: Monitor the 30-day HIPAA timeline, document any permitted extension, and proactively communicate status with requesters.
• Technology readiness: Ensure the EHR can produce commonly requested electronic formats and support direct transmission.
• Vendor management: Bake right-of-access requirements into business associate agreements and test fulfillment processes.
• Minimize barriers: Accept electronic requests, avoid unnecessary notarization or in-person demands, and provide multiple secure delivery options.
• Documentation and auditing: Keep records of requests, responses, and fees; periodically audit for timeliness, accuracy, and fee compliance.

Enforcement and Penalties

OCR enforces HIPAA and HITECH. Noncompliance with electronic access rights can trigger investigations, corrective action plans, resolution agreements, and tiered civil monetary penalties that escalate with the level of culpability and the persistence of violations. State attorneys general may also bring civil actions. While HIPAA does not create a private right of action, access failures can expose entities to complaints, oversight, and reputational harm.

Bottom line: §17935(e) requires covered entities to deliver timely, affordable electronic access to PHI stored in EHRs and to honor patient-directed transmissions. Clear requests, sound workflows, and strict fee limitations are the practical keys to compliance and patient trust.

FAQs

What types of information does 42 U.S.C. §17935(e) cover?

It covers your protected health information maintained by a covered entity in an electronic health record. In addition, HIPAA’s general right of access applies to your broader designated record set (such as medical and billing records), with standard exclusions like psychotherapy notes and information compiled for legal proceedings.

How must a covered entity respond to electronic access requests?

The entity must provide an electronic copy in the form and format you request if readily producible, or in a readable alternative you agree to. It must respond within HIPAA’s access timeframe (generally 30 days, with one documented extension when necessary) and use the agreed transmission method, taking reasonable steps to verify identity and protect privacy.

What fees are allowed under this provision?

Only reasonable, cost-based fees limited to labor for copying your PHI into the requested electronic format, plus the cost of electronic media (if provided) or postage (if mailed). Retrieval fees, subscription or portal access fees, and per-page charges for electronic copies are not appropriate. Any optional summary or explanation requires your prior agreement.

Can individuals direct their PHI to be sent to third parties?

Yes. You can direct the covered entity to transmit your electronic copy to a designated person or entity. Your request must be in writing, signed, and clearly identify the recipient and where to send the information. This direction applies to PHI maintained in an electronic health record; other HIPAA pathways may apply for PHI outside the EHR.