HITECH and HIPAA Medical Records Fee Limits: Provider Compliance Guide

HITECH Act Fee Limitations

Under HIPAA’s right of access, you must furnish individuals with timely access to their protected health information access at a fee that is reasonable and cost-based. The HITECH Act strengthened this right by emphasizing electronic access and clarifying PHI fee restrictions, especially for electronic copies.

The flat fee provision permits an optional, all-inclusive charge of up to $6.50 when an individual requests an electronic copy delivered electronically. This option is not a universal cap; you may instead calculate and charge your actual or average costs, provided they remain strictly cost-based.

Per-page charges are impermissible for electronic copies provided in an electronic format. For paper copies, per-page amounts may be used only if they reflect actual labor and supply costs, not arbitrary or inflated rates.

Permissible Fee Components

Allowed components (cost-based)

• Labor for copying: time spent creating and transmitting the copy (paper or electronic), including compiling, extracting, converting, and transferring the PHI.
• Supplies: paper, toner, envelopes, CDs/USBs or other media requested by the individual.
• Postage: only when mailing paper copies or physical media is requested.
• Summaries or explanations: only if the individual specifically requests and agrees to pay for them.

Excluded costs (never charge)

• Search, retrieval, and records management activities unrelated to copying.
• Reviewing records for potential disclosure or legal risk, or obtaining provider approvals.
• Capital costs of EHR systems, software licenses, maintenance, or data storage.
• Vendor or third-party retrieval fees, portal subscription fees, or general overhead not tied to copying.

Build your cost-based fee calculation on documented, verifiable inputs (e.g., standard labor rates, average handling times, and actual supply prices). Keep itemized records for audits and patient inquiries.

Distinctions for Third-Party Requests

When the individual requests their own records, or directs you to transmit an electronic copy of their PHI to a third party, the HIPAA right-of-access fee limits apply. In these cases, use a cost-based fee calculation or the $6.50 flat fee provision for qualifying electronic deliveries.

Requests initiated directly by third parties—such as insurers, attorneys, or record retrieval companies—generally are not subject to the right-of-access fee caps. Those requests typically proceed under an authorization or other legal process, and permissible charges may instead be governed by state-specific medical record fees or contractual terms.

Practical examples: an individual asks you to email a PDF of their lab results to themselves or to a designated recipient—right-of-access rules and PHI fee restrictions apply. An attorney’s direct request with an authorization is usually outside those caps, subject to applicable state limits and reasonableness.

Compliance with State Regulations

HIPAA preempts contrary state law unless the state rule is more stringent—meaning it offers greater privacy protection or broader individual access. Your compliance posture should satisfy HIPAA’s baseline and any stricter state-specific medical record fees or turnaround requirements.

• Right-of-access requests for electronic copies: do not use per-page pricing, even if state law allows it; stick to cost-based methods or the flat fee provision.
• Paper copies: state per-page caps may apply, but your total must still reflect actual labor, supplies, and postage, not extraneous overhead.
• Publish a clear fee schedule, reference controlling state rules, and review it annually or when laws change.
• Provide advance estimates on request and itemize final invoices to show compliant components.

Conditions for Denial of Access

Access denial criteria are narrowly defined and must be applied case-by-case. You must provide any disclosable portions and explain the basis for any denial in writing, including review rights when applicable.

• Psychotherapy notes and information compiled for, or in reasonable anticipation of, litigation may be denied without review.
• Access may be restricted where disclosure is prohibited by other applicable laws (for example, certain laboratory or substance use treatment records).
• During a clinical trial, access may be temporarily suspended if the individual agreed to this in the research consent.
• For inmates, providing a copy may be denied if it would jeopardize health, safety, or institutional security.
• A licensed professional may deny access if it is reasonably likely to endanger the life or physical safety of the individual or another person, or cause substantial harm to a person referenced in the record (with review rights).

When you deny any part of a request, issue a timely written notice stating the specific reason, how the individual can seek a review (if available), and how to request the permissible portions by alternative means.

Calculating Reasonable Cost-Based Fees

Accepted methods

• Actual-cost method: calculate the specific labor, supplies, and postage for the request.
• Average-cost schedule: use a documented, periodically validated schedule based on typical labor times and supply costs.
• $6.50 flat fee provision: for electronic copies delivered electronically at the individual’s request, you may charge a single all-inclusive fee up to $6.50 instead of computing actual costs.

Step-by-step cost-based fee calculation

• Confirm scope and format: identify the designated record set, date range, and whether delivery will be electronic or on paper/media.
• Estimate labor: use standard time benchmarks (e.g., minutes to compile, convert, and transmit) multiplied by your documented hourly rate.
• Add supplies: paper, toner, envelopes, or media (CD/USB) only if used and requested.
• Add postage: for mailed items only, at actual rates.
• Validate exclusions: ensure search/retrieval, EHR licensing, vendor fees, and overhead are not included.
• Provide an estimate on request and issue an itemized invoice upon fulfillment. Retain documentation supporting the calculation.

Worked examples

• Electronic portal delivery: 8 minutes of labor at $30/hour ($4.00), no supplies, no postage. Charge $4.00, or elect the flat fee provision and charge up to $6.50.
• USB by mail: 12 minutes labor at $30/hour ($6.00) + $2.00 USB + $4.00 postage = $12.00 total.
• Paper copy (25 pages): 15 minutes labor at $30/hour ($7.50) + $1.25 paper/toner + $3.00 postage = $11.75 total. For electronic medical record copy fees provided electronically, do not apply per-page pricing.

Key takeaways

• Keep fees strictly tied to copying labor, supplies, and postage; exclude retrieval and overhead.
• Use actual or average-cost methods, or the $6.50 flat fee provision for qualifying electronic deliveries.
• Apply right-of-access caps to individual requests and patient-directed electronic transmissions; third-party requests often follow state rules.
• Document your methodology and maintain a transparent, auditable fee schedule.

A disciplined, documented approach to cost-based fee calculation safeguards compliance, supports patient trust, and streamlines fulfillment across diverse request types.

FAQs.

What fees can providers charge under the HITECH Act for medical records?

You may charge only a reasonable, cost-based fee covering labor for copying, supplies, and postage, plus a summary or explanation if the individual specifically requests it. For qualifying electronic deliveries requested by the individual, you may instead use an all-inclusive flat fee up to $6.50.

Who is eligible for the $6.50 flat fee limit?

The $6.50 option applies when an individual requests an electronic copy delivered electronically (for example, via email or portal). It does not apply to paper copies, and it generally does not apply to third-party requests initiated by attorneys or insurers that are not made through the individual’s right of access.

What costs are excluded from permissible fee calculations?

Never include search and retrieval time, record review or redaction for legal risk, EHR licensing or maintenance, general overhead, vendor retrieval charges, or portal subscription fees. Only copying labor, necessary supplies, and postage are permitted.

When can a provider deny access to medical records?

You may deny access in limited circumstances, such as psychotherapy notes, information prepared for litigation, legally prohibited disclosures, agreed-on suspensions during clinical trials, specific correctional security risks, and clinically determined risks of endangerment or substantial harm. Denials must be narrowly tailored, explained in writing, and accompanied by review and appeal information when required.