Medical Records Requests Under HITECH: Fees, Formats, and Risk Mitigation

HITECH Act Overview

The HITECH Act strengthened HIPAA by accelerating adoption of electronic health records and by expanding patients’ practical ability to obtain copies of their information. It also enhanced enforcement and breach notification, raising the stakes for covered entities and their business associates.

In day-to-day operations, this means you must provide timely access to electronic health information in the form and format requested when readily producible, charge only a reasonable cost-based fee for individual access, and maintain safeguards that protect records during collection, processing, and transmission.

HITECH works alongside the HIPAA Privacy, Security, and Breach Notification Rules. You should read “electronic health information” here as the electronic protected health information in your designated record set—clinical notes, test results, billing records, and other materials used to make decisions about a patient.

Patient Rights to Electronic Records

Timelines and fulfillment

Patients can request access to their records and receive a copy within 30 days of receipt of the request, with one permissible 30-day extension if you document the reason and provide a new due date. You must provide records in the form and format requested if you can readily produce them that way; otherwise, agree on an alternative readable format.

Formats and delivery methods

• Electronic copies: patient portal download, secure email, direct secure messaging, API access, encrypted media (for example, USB), or CD.
• Paper copies: when specifically requested or when electronic production is not readily possible.
• Transmission risk: if a patient prefers unencrypted email, advise of the risk, document the preference, and honor the request.

Access vs. authorization

A patient’s right of access does not require a HIPAA patient authorization. However, when a patient wants the covered entity to send a copy directly to a third party, the request must be in writing, signed, and clearly identify the designated recipient and where to send it. Third-party requests initiated by the recipient typically require a HIPAA-compliant patient authorization.

Fee Structures for Electronic Copies

Cost-based fee components

For individual access requests (including patient-directed transmissions to a third party), you may charge only a reasonable, cost-based fee covering the following:

• Labor for copying and preparing the electronic file (locating, extracting, packaging, and verifying the copy).
• Supplies if you provide portable media (for example, a USB drive).
• Postage if mailing physical media.
• An agreed-upon summary or explanation, if the patient asks for one.

Prohibited charges

• No retrieval, archival, or “chart pull” fees.
• No per-page fees for electronic copies of electronic records.
• No fees for maintaining systems, subscriptions, or portals.

Pricing methods that pass scrutiny

• Actual cost: log staff time and supply costs per request.
• Average cost: use a written schedule that reflects typical labor and supplies for standard request types.
• Flat fee for e-copies: a reasonable flat amount (for example, up to $6.50) can simplify processing when it reasonably reflects your costs.

Practical examples

• Secure email of a 50-page PDF produced directly from the EHR: charge verified labor minutes only; no per-page or retrieval fees.
• USB mailed to the patient: include the cost of the USB and postage, plus documented labor to create and verify the files.

Fee Structures for Paper Copies

Applying the cost-based standard

For paper copies, the same cost-based fee principle applies. You may include copying labor and paper/ink supplies, and postage if mailed. If you use per-page pricing, ensure it reflects your actual costs rather than a default maximum.

State law interplay

Many states set per-page caps for paper copies. You must still stay within HIPAA’s cost-based fee framework and apply whichever rule is more protective for the patient. Retrieval and handling fees are not permissible even if state law allows them.

Third-Party Medical Records Requests

Two common pathways

• Patient-directed request: the individual asks you in writing to send an electronic copy to a named recipient. The HIPAA/HITECH access right applies, including the reasonable, cost-based fee limits.
• Third-party–initiated request: a lawyer, insurer, or other party requests records and presents a HIPAA patient authorization. In this route, the access fee limits do not control the fee; charge in line with applicable state law and your posted schedule.

Content and scope

Provide only the designated record set requested. For patient-directed requests, you must honor the patient’s chosen format if readily producible; for third-party–initiated requests, clarify scope in the authorization and avoid over-disclosure.

Verification and patient authorization

Verify identity and the authenticity of any patient authorization before disclosure. Confirm delivery details for electronic transmissions and document each step to support your compliance record.

Risk Mitigation in Handling Health Records

Administrative safeguards

• Policies defining intake, verification, fulfillment, fee calculation, and denial processes.
• Workforce training on access rights, cost-based fee rules, and phishing/social engineering risks.
• Business associate agreements that bind vendors handling requests.

Technical protections

• Encryption in transit and at rest for electronic health information; strong authentication and role-based access.
• Audit logging for exports, downloads, and transmissions, with regular review.
• Data loss prevention rules for email and file transfer; secure portals or direct messaging for routine delivery.

Data breach mitigation

• Incident response playbooks for containment, investigation, and notification.
• Verification callbacks for unusual third-party destinations or bulk requests.
• Least-privilege workflows and segregation of duties for staff who fulfill requests.

Compliance with HITECH Regulations

Operational checklist

• Publish a clear fee schedule showing cost-based calculations for electronic and paper copies.
• Offer multiple electronic formats and honor the patient’s requested format when readily producible.
• Track the 30-day fulfillment clock; document any single 30-day extension with reasons and a new date.
• Use standardized intake forms that capture delivery method, recipient details, and whether the route is access-based or authorization-based.
• Maintain written procedures for identity verification, patient authorization review, and secure transmission.
• Test your breach response and keep evidence of training, audits, and corrective actions.

Conclusion

To handle medical records requests under HITECH with confidence, align your workflows to three pillars: give patients timely access in their chosen electronic format, apply a documented cost-based fee, and harden your processes with administrative safeguards and technical protections. This approach reduces risk, improves patient experience, and keeps you compliant.

FAQs.

What fees can be charged for electronic medical records requests under HITECH?

You may charge only a reasonable, cost-based fee that covers copying labor, supplies for any media provided, postage if mailing, and any patient-requested summary. Retrieval, subscription, or per-page fees for e-copies are not allowed. Many providers simplify pricing with a modest flat fee that reflects their actual costs.

How does the HITECH Act regulate third-party requests for medical records?

If a patient directs you in writing to send an electronic copy to a third party, treat it as an access request and apply the cost-based fee limits. When a third party initiates the request and presents a valid patient authorization, the access fee limits do not apply; charge consistent with state law and your posted schedule, and disclose only the authorized scope.

What security measures must healthcare providers implement to protect electronic health records?

Implement administrative safeguards (policies, training, BAAs), technical protections (encryption, strong authentication, role-based access, audit logs, DLP), and incident response for data breach mitigation. Use secure transmission channels by default and document patient preference if they choose less secure options.

How do patient rights under HITECH differ from HIPAA regarding record formats?

HITECH amplifies HIPAA’s access right by emphasizing electronic copies: if you maintain records electronically, you must provide them in the electronic form and format requested when readily producible. If not, work with the patient to agree on an alternative readable electronic format or paper, based on their preference.