HITECH Act Medical Records Fees: HIPAA Right of Access Requirements Explained

HIPAA Right of Access Provisions

Under the HIPAA Privacy Rule, you have the right to access, inspect, and obtain a copy of your Protected Health Information (PHI) maintained by covered entities, including healthcare providers, health plans, and clearinghouses. This right applies to the designated record set, which typically includes medical and billing records related to your care and payment.

Covered entities must provide access in the form and format you request if readily producible, and generally within 30 days, with one permissible 30‑day extension when necessary. When records are maintained as Electronic Medical Records, entities must provide an electronic copy when you ask for it, or transmit it securely to a destination you designate.

Scope of Protected Health Information

PHI includes identifiable health information in any medium. It excludes psychotherapy notes and information compiled for litigation, which are not subject to the right of access. For most other clinical and billing content—lab results, visit notes, imaging reports, and claims—access must be provided consistent with HIPAA.

Permissible Fees for Medical Records

HIPAA permits only a reasonable, cost-based fee for copies of PHI requested under the right of access. The fee must reflect the actual effort to create and deliver the copy and may never be used to discourage you from exercising your rights.

Costs you may be charged

• Labor costs for copying PHI (e.g., locating, extracting, scanning, and transmitting the record).
• Supplies for creating the copy (e.g., paper, CD, DVD, or USB drive).
• Postage when you request mailing.
• PHI summary fees only if you specifically agree to receive a written summary or explanation instead of—or in addition to—a full copy.

Costs that may not be charged

• No retrieval, access, or “chart pull” fees, and no fees for verification, documentation, or maintaining systems.
• No per‑page charges for electronic copies of PHI.
• No fees for basic portal access or viewing your records on-site.

HITECH Act Electronic Copy Rights

The HITECH Act strengthened electronic access by requiring an electronic copy when PHI is maintained in an Electronic Health Record. If you request an e‑copy for yourself, the covered entity must provide it in your requested form and format if readily producible, or in a readable alternative you agree to (for example, a secure email, portal download, or encrypted media).

Third-Party Access via Patient Directive

You may direct a covered entity to transmit an electronic copy of your PHI to a designated person or organization. This “Third-Party Access” must be in a written, signed request that clearly identifies the recipient and where to send the records. When the request qualifies under the HITECH provisions for EHR data, the cost-based fee rules still apply.

Fee Limitations for Electronic Records

For electronic copies provided to you, HIPAA allows three compliant ways to set fees. A covered entity may: (1) calculate the actual, itemized cost to fulfill your request; (2) use a schedule of average costs for standard requests; or (3) charge a reasonable flat fee for electronic copies. A commonly used flat fee “safe option” is a modest, all‑inclusive amount for typical e‑copy requests, but providers may instead charge their documented actual or average labor costs when higher or lower.

Regardless of the method chosen, per‑page fees for e‑copies are not allowed, and the fee must include only labor for copying, supplies, and postage (if mailed). Labor for reviewing records, retrieving charts, or verifying identity cannot be included.

Court Rulings on Third-Party Requests

Court decisions have narrowed how the HITECH third‑party directive applies. In essence, the patient’s right to direct a copy to a third party remains, but it applies to electronic PHI in an EHR and follows the HIPAA access fee rules only when it is your access request being fulfilled. By contrast, disclosures made directly to third parties under a HIPAA authorization or other legal process are not treated as patient access requests, so the HIPAA cost‑based fee limitations do not govern those transactions.

What this means in practice

• If you request an e‑copy for yourself or direct it to a third party from your EHR data, the cost-based fee standard applies.
• If an attorney, insurer, or other third party requests records using an authorization or legal process, state law often controls the price, and HIPAA’s access fee cap does not apply.

State Law Impact on Fee Regulations

HIPAA sets a federal floor. When you make a HIPAA right‑of‑access request for your own PHI, HIPAA’s cost-based fee standard applies even if a state statute would allow higher amounts. For third‑party requests that are not your HIPAA access request (for example, a records release under a separate authorization), state fee schedules, per‑page rates, or “reasonable cost” standards may govern.

If a state law gives you greater access rights—such as faster timelines or lower fees—it is typically considered more stringent and will control. Covered entities should map their workflows to both HIPAA and applicable state requirements to ensure compliance.

Exceptions to Fee Limitations

HIPAA’s access fee limitations do not apply to every disclosure. When records are released under subpoenas, court orders, workers’ compensation statutes, insurer requests, or general HIPAA authorizations initiated by third parties, pricing is not constrained by the cost‑based fee rule (though other federal or state limits may apply). In addition, HIPAA does not require access to psychotherapy notes or information compiled for legal proceedings.

When the requested form or format is not readily producible, a covered entity may offer an alternative you accept. If you ask for a detailed summary instead of a full copy, PHI summary fees may be charged, but only with your advance agreement. Rush handling, special courier services, or encrypted media can be billed at actual cost when you request them.

FAQs

What fees can providers charge for medical record copies?

For HIPAA right‑of‑access requests, providers may charge only a reasonable, cost‑based fee that includes labor for copying (such as scanning or downloading), supplies (paper, CD, USB), postage if mailed, and PHI summary fees if you request a summary. They may not charge retrieval, verification, or overhead fees, and they may not use per‑page pricing for electronic copies.

How does the HITECH Act affect electronic record access?

HITECH requires an electronic copy when PHI is maintained in an EHR and you request it. You may also direct the provider to send an electronic copy to a third party. The copy should be in the form and format you request if readily producible, and the same cost‑based fee rules apply to your EHR e‑copy requests.

Are fees different for third-party record requests?

Yes. If it is your HIPAA access request (including a valid directive to send your EHR data to a third party), the cost‑based fee limits apply. If a third party requests records under a HIPAA authorization, subpoena, or other legal process, that is not your access request and the HIPAA access fee limitations do not apply; state law typically governs those charges.

What exceptions exist to the standard fee limitations?

Exceptions include disclosures made under subpoenas, court orders, workers’ compensation laws, insurer or attorney requests using a HIPAA authorization, and other releases that are not your own HIPAA access request. Also, HIPAA does not require access to psychotherapy notes or information prepared for litigation. When you specifically request a summary, PHI summary fees may be charged with your prior agreement.