HITECH Act Allowable Fees for Patient Access: Requirements, Limits, and Examples

HITECH Act Fee Caps

Under the HIPAA Privacy Rule, as strengthened by the HITECH Act, you may charge patients only a reasonable, cost‑based fee to access their own Protected Health Information (PHI). This cap limits charges to specific, allowable components so patient access fee limitations do not become a barrier to care or records portability. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2024/may-a-covered-entity-charge-individuals-a-fee/index.html?utm_source=openai))

The cap is not a single dollar amount for every request. For electronic record copy fees, per‑page charges are not permitted when the PHI is maintained electronically, even if you produce a paper copy. And while many organizations choose a standard approach, the Privacy Rule lets you select the calculation method that fits each request—so long as the result stays within the allowable components. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2029/how-can-covered-entities-calculate-the-limited-fee/index.html?utm_source=openai))

Examples

• Emailing an electronic copy already in your EHR: 5 minutes of clerical labor at $20/hour ($1.67) with no supplies or postage.
• Mailing a paper copy printed from an EHR: 8 minutes at $18/hour ($2.40) plus paper/toner ($0.25) and postage ($1.35) for a total of $4.00. No search/retrieval fees may be added.

Flat Fee Options

For requests for an electronic copy of Protected Health Information (PHI) that you maintain electronically, you may charge a flat fee of up to $6.50 per request. This flat fee must include all labor, supplies, and postage; you cannot add surcharges on top. Importantly, $6.50 is not a universal cap—it is an optional safe harbor you may use instead of calculating actual or average costs. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2030/is-650-the-maximum-amount-that-can-be-charged/index.html?utm_source=openai))

If a request is unusual (for example, requiring uncommon file conversions), you may switch from the flat‑fee approach to calculating actual costs for that request, provided the costs are reasonable and limited to the permitted categories. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2030/is-650-the-maximum-amount-that-can-be-charged/index.html?utm_source=openai))

Example

• Patient requests a standard PDF via secure email: you may simply charge the $6.50 flat fee instead of itemizing labor.

Reasonable Cost-Based Fees

You can calculate the patient’s charge using one of three approaches: (1) actual cost for that request, (2) a schedule of average costs for common request types, or (3) the optional $6.50 flat fee for electronic copies of PHI maintained electronically. Whichever you choose, include only allowable copying labor, supplies (if any), and postage (if mailed). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2029/how-can-covered-entities-calculate-the-limited-fee/index.html?utm_source=openai))

Labor cost calculation for PHI

• Actual costs: time the copying/transmission steps and multiply by a reasonable hourly rate for the staff performing them; add any necessary supplies or postage. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2024/may-a-covered-entity-charge-individuals-a-fee/index.html?utm_source=openai))
• Average‑cost schedule: publish typical labor amounts for standard scenarios (e.g., portal download, encrypted email, mailed paper). Avoid per‑page rates for PHI maintained electronically. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2029/how-can-covered-entities-calculate-the-limited-fee/index.html?utm_source=openai))

Practical examples

• Portal “view, download, transmit” access using certified EHR technology: no labor or supply costs apply, so no fee should be charged to fulfill the access request via that functionality. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2026/may-a-covered-health-care-provider-charge-a-fee-under-hipaa/index.html?utm_source=openai))
• Encrypted email of 50 pages exported from the EHR: 7 minutes at $19/hour ($2.22) + $0 supplies + $0 postage = $2.22.
• USB drive because the patient specifically requests it: 9 minutes at $19/hour ($2.85) + $3.00 USB + $0 postage = $5.85.

Excluded Costs in Fee Calculations

Protected Health Information fee regulation expressly bars passing certain expenses to patients. You may not charge for verification, documentation, search/retrieval, maintaining systems, data storage, EHR licenses, capital costs, or other overhead. These exclusions apply even if state law authorizes such charges. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2024/may-a-covered-entity-charge-individuals-a-fee/index.html?utm_source=openai))

• No “retrieval” or “chart pull” fees.
• No technology or infrastructure surcharges (e.g., portal subscriptions, EHR maintenance).
• No per‑page fees for PHI maintained electronically (paper per‑page rates may apply only when the records are maintained on paper). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2029/how-can-covered-entities-calculate-the-limited-fee/index.html?utm_source=openai))

State Law Fee Considerations

State fee schedules do not override HIPAA. You may follow state‑authorized rates only when the charges are the same types of costs HIPAA permits and remain reasonable. Many states’ per‑page schedules are outdated for electronic workflows and, if applied to ePHI, would be unreasonable under HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2031/are-costs-authorized-by-state-fee-schedules-permitted/index.html?utm_source=openai))

Example

• If state law allows $0.75/page, but the patient requests an electronic copy of ePHI, you must use a HIPAA‑compliant method (actual cost, average cost schedule, or the $6.50 flat fee). Per‑page pricing would not be appropriate for ePHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2029/how-can-covered-entities-calculate-the-limited-fee/index.html?utm_source=openai))

Third-Party Request Fee Exceptions

Different rules apply when records go to a third party. Following the Ciox v. Azar decision, the HIPAA “patient rate” fee limitation applies only when the individual requests access to their own records. It does not apply when an individual asks you to transmit records to a third party, nor to requests made directly by third parties with a valid authorization. In these cases, fees are generally governed by other law (often state law) or contract. ([hhs.gov](https://www.hhs.gov/hipaa/court-order-right-of-access/index.html?utm_source=openai))

Examples

• Patient asks you to send an EHR export to their attorney: the HIPAA patient‑rate cap does not apply; charge according to applicable state law or agreement.
• Patient requests the same records for personal use via email: apply the HIPAA patient‑rate rules (e.g., actual cost or the $6.50 flat fee option for ePHI). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2030/is-650-the-maximum-amount-that-can-be-charged/index.html?utm_source=openai))

Fee Transparency and Compliance

Advance fee notice is a compliance requirement: when you intend to charge an access fee, you must inform the individual up front of the approximate amount and how it may vary by format or delivery. On request, provide an itemized breakdown of labor, supplies, and postage, and consider making an approximate fee schedule readily available. These fee notification requirements reduce disputes and support HIPAA compliance enforcement. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2028/must-a-covered-entity-inform-individuals-in-advance/index.html?utm_source=openai))

OCR has repeatedly enforced the Right of Access, including cases with settlements tied to delays and unreasonable practices. Notable examples include settlements with Banner Health ($200,000), Sharp Rees‑Stealy Medical Centers ($70,000), Village Plastic Surgery ($30,000), and St. Joseph’s Hospital and Medical Center ($160,000), underscoring that access obligations—timeliness, format, and fees—are active enforcement priorities. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/banner/index.html?utm_source=openai))

Key takeaway: build a simple, posted fee schedule; use actual or average labor for electronic requests; reserve the $6.50 flat fee for straightforward ePHI deliveries; and never include prohibited costs. Doing so keeps fees lawful, predictable, and patient‑centered. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2029/how-can-covered-entities-calculate-the-limited-fee/index.html?utm_source=openai))

FAQs

What fees are allowable under the HITECH Act for patient access?

You may charge only a reasonable, cost‑based fee that covers copying labor, necessary supplies (like paper or a requested USB), and postage if mailed. No fees for search/retrieval, verification, EHR licenses, or other overhead are permitted. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2024/may-a-covered-entity-charge-individuals-a-fee/index.html?utm_source=openai))

How is the flat fee of $6.50 applied for electronic copies?

The $6.50 amount is an optional flat fee you may use for requests for an electronic copy of PHI that you maintain electronically. It must include all labor, supplies, and postage, and it is not a universal cap for all requests. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2030/is-650-the-maximum-amount-that-can-be-charged/index.html?utm_source=openai))

Are there exclusions in calculating fees for electronic PHI?

Yes. You cannot include search/retrieval, documentation, verification, system maintenance, storage, EHR licensing, or other overhead. Per‑page fees are not permitted when PHI is maintained electronically. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2024/may-a-covered-entity-charge-individuals-a-fee/index.html?utm_source=openai))

Do state laws affect allowable fees under the HITECH Act?

Only to the extent they authorize the same types of charges HIPAA allows and are reasonable. HIPAA preempts conflicting state fee schedules—especially those that set per‑page rates that are unreasonable for ePHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2031/are-costs-authorized-by-state-fee-schedules-permitted/index.html?utm_source=openai))

What fees apply to third-party requests for PHI?

The HIPAA patient‑rate limitation applies to a patient’s own access request. It does not apply when records are directed to or requested by third parties; those fees are typically governed by state law or contract terms. ([hhs.gov](https://www.hhs.gov/hipaa/court-order-right-of-access/index.html?utm_source=openai))