Medical Records Fee Checklist: HITECH/HIPAA Rules, Permissible Costs, State Preemption

HIPAA Privacy Rule on Medical Records Fees

The HIPAA Privacy Rule lets you obtain copies of your Protected Health Information from covered entities (health plans, providers, and their business associates). For these requests, a reasonable cost-based fee may be charged, but only for specific, limited components tied to making the copy and delivering it.

HIPAA’s fee standard applies when you request your own records or authorize a request on your behalf. It is designed to prevent markups, retrieval charges, or profit-making add-ons and to keep access affordable—especially for Electronic Health Records.

Core principles you must follow

• Charge only what it reasonably costs to copy and deliver the PHI—nothing more.
• No per-page fees for electronic copies of records extracted from Electronic Health Records.
• Document your calculation method and, upon request, explain it to the requester.
• Business associates and release-of-information vendors must follow the covered entity’s HIPAA-compliant fee rules.

Permitted fee calculation methods

• Actual cost: calculate the specific labor, supplies, and postage for each request.
• Average costs: publish a schedule reflecting typical labor and supply costs for standard request types.
• Optional flat fee (for e-copies): use a single, low flat amount for common electronic deliveries when it reasonably reflects your labor and supplies.

Permissible and Prohibited Costs

Permissible components of a reasonable cost-based fee

• Labor costs for copying PHI: locating and extracting data from the system, scanning paper, converting to the requested format, and preparing the file for release.
• Supplies: paper and toner for paper copies; or the cost of a CD, DVD, or USB drive used to provide the copy.
• Postage: actual postage for mailed copies.
• Preparing a summary or explanation—but only if the individual specifically agrees in advance.

Prohibited charges (do not include these)

• Retrieval or “chart pull” fees, search fees, or verification fees—these are not copying labor.
• Overhead and capital costs: EHR license fees, portal maintenance, data storage, or depreciation.
• Per-page charges for electronic copies derived from Electronic Health Records.
• Charges for maintaining systems, implementing HIPAA compliance, or handling unpaid bills.

Practical tips to stay compliant

• Use automation to reduce labor costs for standard electronic exports and keep your fee schedules current.
• Offer secure electronic delivery by default; fall back to paper only when necessary or requested.
• Keep written procedures showing how labor costs are measured and updated.

State Laws on Medical Records Fees

Many states publish fee schedules with per-page caps, retrieval allowances, or special patient rates. These rules often vary for patients, attorneys, insurers, and government agencies, and some states distinguish paper from electronic deliveries.

As you set fees, map each request to the correct pathway: individual right of access under HIPAA, patient-directed third-party delivery, or a direct third-party request (for example, an attorney letter, subpoena, or insurer request). The applicable state schedule may differ by pathway and by format.

Where state schedules allow lower charges or additional patient rights, you may use the more protective state rule. Where they allow higher or broader charges than HIPAA permits for patient access, state law yields to HIPAA’s limits.

Preemption of State Laws by HIPAA

HIPAA preempts state laws that are contrary to HIPAA and less protective of an individual’s access rights. A state rule is “contrary” when it is impossible to comply with both, or when the state rule stands as an obstacle to HIPAA’s objectives.

Use this rule of thumb: for an individual’s own access request, apply HIPAA’s reasonable cost-based fee; if a state rule provides greater privacy protection or lower fees, you may apply the more stringent state rule. If a state schedule permits retrieval fees or higher charges for patient access, HIPAA’s prohibition and limits control.

For non-access pathways (for example, a direct third-party request or certain subpoena responses), state fee schedules often govern unless the request is converted to a HIPAA right-of-access or HITECH patient-directed request.

Application of HITECH Act to Medical Records Fees

The HITECH Act modernized access to PHI by focusing on Electronic Health Records. When PHI is maintained in an EHR, you can request an electronic copy and receive it in the form and format you request if readily producible, or in a mutually agreeable readable electronic format.

Fees for these EHR-based copies are tightly limited: no per-page pricing and no retrieval surcharges. The allowable charge is a reasonable cost-based fee reflecting labor to produce the electronic copy, plus any minimal supplies or postage if applicable.

HITECH also enables you to direct your provider to transmit an electronic copy of your EHR data to a designated third party. That directive must clearly identify the recipient and destination and be in writing (including electronic).

Impact of HITECH Act on Third-Party Requests

Distinguish two scenarios. First, a patient-directed transmission: you instruct a covered entity to send an electronic copy of EHR data to a named third party. In this case, HITECH’s access framework and cost limits apply, and per-page or retrieval fees are not permitted.

Second, a direct third-party request (for example, an attorney or insurer requests records without a valid patient directive that fits the EHR pathway). This is not a HIPAA right-of-access request. In many states, applicable fee schedules for third-party requests may allow per-page or retrieval charges for paper records; electronic per-page charges remain inappropriate for EHR exports.

Attorneys, insurers, and record vendors should choose the correct pathway. Where possible, a compliant patient directive for EHR data typically yields the fastest delivery and the lowest, labor-based fee.

Court Rulings on Medical Records Fees

Federal decisions have clarified the boundaries of access fees. Courts have limited the application of patient “access” pricing to individual requests and narrowed the patient-directed third-party pathway to electronic copies of EHR data. They have also rejected retrieval and other overhead-style charges for HIPAA access requests.

State courts have drawn lines between requests made by patients versus those made by attorneys or other third parties, often holding that attorney-initiated requests without a proper patient directive are subject to state fee schedules, not HIPAA’s patient access pricing.

Conclusion

For a defensible medical records fee checklist, anchor every decision to three touchstones: HIPAA’s reasonable cost-based fee, HITECH’s EHR-focused access pathway, and state preemption analysis. Charge only copying labor, necessary supplies, and postage; avoid retrieval and per-page fees for electronic copies; and apply state fee schedules only when they are more protective or when the request is not a HIPAA access request.

FAQs.

What costs are permissible under HIPAA for medical records fees?

Only a reasonable cost-based fee: copying labor (including extracting from systems, scanning, and preparing the file), necessary supplies (paper, toner, CD/USB), actual postage for mailed copies, and—if the individual agrees—labor to prepare a summary or explanation. Retrieval, verification, system maintenance, overhead, and per-page charges for electronic copies are not permitted.

How does the HITECH Act affect fees for electronic medical records?

HITECH prioritizes electronic access to PHI in Electronic Health Records and bars per-page pricing for e-copies. Covered entities may charge only a reasonable, cost-based amount reflecting labor to produce and transmit the electronic copy, plus minimal supplies or postage when applicable.

When do state laws get preempted by HIPAA regarding medical records fees?

HIPAA preempts state rules that are contrary and less protective. For patient access requests, if a state schedule allows retrieval fees or higher charges than HIPAA’s limits, HIPAA controls. If a state rule is more protective (for example, lower caps or a free first copy), that more stringent state protection can apply.

Can an attorney directly request medical records under HITECH rules?

Yes, but the fee rules depend on the pathway. If the patient gives a proper written directive to send an electronic copy of EHR data to the attorney, HITECH/HIPAA access limits apply and only a reasonable cost-based fee may be charged. If the attorney requests records without a qualifying patient directive, state fee schedules for third-party requests typically govern.