How to Comply with HITECH 17935(e) Electronic Access and Fee Limits

Understanding HITECH Act Section 17935(e)

HITECH Section 17935(e) requires you to furnish individuals with an electronic copy of their protected health information maintained in an electronic health record (EHR) and, upon a patient’s direction, transmit that copy to a designated third party. The provision strengthens Electronic Health Record Access and aligns with the HIPAA Right of Access while emphasizing Health Information Portability.

Covered Entity Obligations under this section include providing the copy in the form and format requested if readily producible; if not, you must offer a mutually agreeable readable electronic format. You must apply Fee Limitation Compliance rules, avoid unreasonable barriers to access, and meet timeliness standards established by the HIPAA Privacy Rule.

• Scope: protected health information (PHI) in the EHR that is part of the designated record set.
• Form/format: honor the patient’s requested electronic format when reasonably producible (for example, portal download, secure email, CD/USB, or API export).
• Transmission: support Patient Directed Requests to a third party identified by the individual.
• Fees: limit charges to allowable, cost-based components only.
• Timeliness: respond within 30 calendar days of receipt, with one permissible 30-day extension when documented.

Patient Rights to Electronic Health Information

Patients have the right to access, inspect, and receive an electronic copy of their PHI and to direct you to send that copy to another person or entity. You may not force portal-only access, require in-person requests, or impose unnecessary identity hurdles. Your process must be simple, transparent, and prompt.

• Request pathways: accept requests through multiple reasonable channels (portal, form, mail, phone-to-form), and document each request upon receipt.
• Identity verification: verify identity using balanced measures that do not create undue burden (for example, knowledge-based checks or photo ID for in-person pick-up).
• Form and format: if the patient asks for a specific electronic format and it is readily producible, provide it; otherwise offer a readable alternative and explain the options.
• Delivery methods: portal download, secure email or link, encrypted media, or other agreed methods. If a patient accepts the risk of unencrypted email after being advised, you may accommodate the request.
• Timing: provide access within 30 days; if an extension is necessary, notify the patient in writing with the reason and the new deadline.

Calculating Permissible Fees for Electronic Copies

Fee Limitation Compliance allows only a reasonable, cost-based fee for producing the electronic copy. For electronic copies, per-page fees are not permitted. Build your fee method around Labor Cost Calculation for copying, limited supply costs, and postage when applicable.

Costs you may include

• Labor for copying: time spent retrieving the record from the EHR, creating the electronic file, and transferring or uploading the copy for delivery.
• Supplies: actual cost of media (for example, a CD or USB) when the patient requests delivery on physical media.
• Postage: only if the patient requests mailed media.
• Summary/explanation: only if the patient agrees in advance to receive and pay for it.

Costs you may not include

• Search and retrieval fees, including locating, reviewing for responsiveness, or verifying authorization.
• Overhead or technology amortization (for example, EHR licensing, maintenance, or portal subscriptions).
• Per-page fees for digital copies, regardless of the number of pages in the electronic file.

Permissible fee methods

• Actual cost: calculate the direct labor time for copying multiplied by a reasonable hourly rate, plus allowable supplies and postage.
• Average schedule: develop a documented fee schedule using data-backed average labor times for common request types and delivery methods.
• Flat fee option: for requests for an electronic copy of PHI maintained electronically, you may charge a flat fee not to exceed $6.50 as a simple, compliant alternative.

Labor Cost Calculation example

• Example: 10 minutes to prepare and transmit an encrypted PDF via secure email at a $30/hour loaded wage equals $5.00 in labor (0.167 × $30). No supplies or postage apply, so the total is $5.00.
• Example: 12 minutes to export and copy to a USB at $28/hour equals $5.60 in labor, plus a $1.40 USB supply cost, for a total of $7.00.

If you deliver through a patient portal or API without using physical media, supplies and postage are typically $0.00. If patients provide their own media and you accept it under your security policy, you may not charge supply costs.

Establishing Compliance Procedures

Operationalize compliance by standardizing intake, production, pricing, and fulfillment. Written procedures make expectations clear and enforceable across your workforce.

Standard operating steps

• Intake: log the date received, verify identity, capture form/format and delivery preferences, and note any third-party designation.
• Scope: confirm the request covers PHI in the designated record set and clarify any date-range or document-type limits.
• Pricing: estimate fees using your approved method and disclose them on request; obtain agreement for any optional summary.
• Production: export in the requested format if readily producible; otherwise agree on an alternative readable electronic format.
• Fulfillment: deliver securely, document the send method, and record completion within 30 days (or the extended deadline).
• Documentation: retain the request, communications, fee calculation, and proof of delivery to demonstrate compliance.

Governance and training

• Publish a clear, patient-facing access policy and internal work instructions.
• Maintain a documented fee schedule and update it when labor rates or workflows change.
• Train staff on access rights, security, Patient Directed Requests, and Fee Limitation Compliance.
• Audit samples monthly to verify timeliness, accuracy, and correct fee application.

Managing Third-Party Record Requests

Distinguish patient-directed transmissions under HITECH 17935(e) from requests initiated by third parties. Your obligations and fees depend on who initiates the request and the legal pathway used.

• Patient Directed Requests: when a patient asks you to send an electronic copy from the EHR to a named third party and provides a clear written direction, you must transmit it in the requested form/format if readily producible. The same cost-based fee limits apply.
• Third-party requests with authorization: when a law firm, insurer, or other third party requests records using a HIPAA authorization, different fee rules may apply under federal and state law. Apply your policy consistently and document the basis for any charges.
• Minimum necessary: does not apply to the individual’s right of access or patient-directed transmissions, but it does apply to most third-party disclosures made pursuant to an authorization.
• Security and accuracy: validate the recipient’s details, use secure transmission where feasible, and confirm delivery. If a patient requests unencrypted email after being advised of risks, honor the choice and note the acceptance of risk.

Monitoring Enforcement and Penalties

OCR actively enforces the Right of Access, with settlements and corrective action plans imposed for delayed responses, unreasonable barriers, and improper fees. Sustained compliance reduces legal exposure and demonstrates respect for patient autonomy.

Civil Penalty Guidelines overview

• Tiered penalty structure based on culpability (ranging from lack of knowledge to uncorrected willful neglect), with per-violation amounts and annual caps set by statute and HHS policy.
• Penalties can include monetary fines, mandated corrective action plans, audits, and monitoring.
• State attorneys general may also bring actions, and reputational impacts often exceed direct costs.

Common enforcement pitfalls

• Missing the 30-day deadline or failing to document a permissible extension.
• Charging impermissible fees (for example, per-page fees for electronic copies or search/retrieval charges).
• Requiring portal-only access or imposing unnecessary identity hurdles.
• Refusing patient-preferred formats that are readily producible.

Continuous monitoring

• Track turnaround time and fee application metrics.
• Review complaints and implement corrective actions quickly.
• Reassess policies when technology, workflows, or labor rates change.

Conclusion

To comply with HITECH 17935(e), build an access program that is fast, format-flexible, and fair on price. Center your workflows on Health Information Portability, apply cost-based fees only, and document every step. These practices protect patients’ rights and your organization under the Civil Penalty Guidelines.

FAQs.

What fees are allowed under HITECH Section 17935(e)?

You may charge only a reasonable, cost-based fee covering labor for copying the electronic record, supplies for requested media, postage when mailed, and an optional summary if the patient agrees. Per-page fees for digital copies and search/retrieval charges are not allowed.

How must covered entities handle third-party access requests?

When a patient issues a clear, written Patient Directed Request to send an EHR copy to a specified third party, you must transmit it in the requested format if readily producible and apply the same fee limits. Third-party requests initiated by the recipient and supported by a HIPAA authorization follow different rules; apply your documented policy and applicable federal and state requirements.

What penalties apply for noncompliance with HITECH electronic access provisions?

OCR can impose tiered civil monetary penalties, corrective action plans, and monitoring based on culpability and the nature of violations. Repeated delays, unreasonable barriers, or impermissible fees are common triggers and can result in substantial settlements in addition to reputational harm.

How should labor costs be calculated for electronic copy fees?

Use a Labor Cost Calculation that multiplies documented copying time by a reasonable, fully loaded hourly wage for the staff performing the work. Include only tasks necessary to create and transmit the electronic copy; exclude search/retrieval, legal review, and overhead. Consider using an average-cost schedule or a flat fee not exceeding $6.50 for simplicity.