What Fees Are Allowed Under the HITECH Act? HIPAA Rules Explained

HITECH Act Overview

The HITECH Act strengthened the HIPAA Privacy Rule by expanding the right of individuals to receive copies of their records in electronic form and by increasing HIPAA Enforcement. It also heightened accountability for covered entities and their business associates when handling Protected Health Information.

Under this framework, you may charge only reasonable, Cost-Based Fees for providing copies of a person’s records. This applies whether the records are on paper or maintained electronically and whether you deliver them by mail, secure email, patient portal, or other approved methods.

In practice, HITECH’s access provisions focus on making Electronic Record Copies available in the format the individual requests if readily producible, and at a cost that reflects the narrow, permitted components described below—nothing more.

Fees for Accessing Medical Records

Individuals have a right to inspect their records and to obtain copies. Inspection is generally free. When providing copies, covered entities may assess only Cost-Based Fees tied to the act of copying and delivering the records, not for allowing access itself.

For Electronic Record Copies, you must provide the information in the form and format requested if readily producible (for example, a PDF, a machine-readable export, or a standard summary file). If the exact format is not available, you and the individual should agree on a reasonable alternative that preserves usability.

The Cost-Based Fee limitation applies to an individual’s request for access. If a request falls outside the individual right of access (for example, certain third-party requests that proceed via authorization), different fee rules may apply, but the access fee limits described here govern the individual access pathway.

Allowed Fee Components

Only the following elements may be included when calculating Cost-Based Fees for copies:

• Labor for copying: time spent creating and transmitting the copy, including compiling from the designated record set, scanning paper, converting native files, and attaching or uploading the file for delivery.
• Supplies: the actual cost of materials such as paper, toner, a CD, DVD, or USB drive if the individual requests physical media.
• Postage: the actual mailing cost when the individual chooses mail delivery.
• Preparation of an explanation or summary, but only if the individual specifically agrees in advance to receive—and pay for—such a summary.

How to calculate Cost-Based Fees

• Actual cost method: track the specific labor minutes for the request, apply a reasonable hourly rate for the workforce member performing the task, and add the exact supply and postage costs.
• Average cost schedule: use a documented fee schedule that reflects typical labor for common request types (for example, standard electronic delivery vs. mailed paper copy) and add supplies and postage as applicable.
• Flat fee option (for certain electronic deliveries): a single, low, per-request fee as described in the section below.

Prohibited Fee Components

The following charges may not be included in fees for an individual’s access request:

• Search, retrieval, verification, or “chart pull” fees.
• General overhead, such as system licensing, data storage, archival costs, or amortized EHR expenses.
• Portal enrollment or subscription fees, or charges for standard secure messaging functionality.
• Per-page fees for Electronic Record Copies; per-page pricing is permissible only for paper copies when it reflects actual supply and labor costs.
• Staff time unrelated to copying and transmission (for example, time spent reviewing records for compliance outside what is necessary to produce the copy).
• Charges to fund Privacy Training, auditing programs, or other compliance activities—these are the organization’s responsibility, not the individual’s.

Flat Fee Option

For Electronic Record Copies of information maintained electronically, covered entities may use a single flat fee per request instead of tracking actual or average labor. This flat fee must be reasonable, truly cost-based, and inclusive only of the permitted components (copying labor and, if needed, minimal electronic delivery costs). It cannot be a per-page fee, and it does not apply to paper copies or to deliveries that require physical media plus postage.

Best practices for flat fees

• Document how you derived the flat amount from real labor time and typical delivery steps.
• Apply the flat fee only to qualifying electronic requests; use actual or average-cost methods for all others.
• Publish the fee approach in plain language so individuals understand their options before they request copies.
• Offer a no-cost electronic method when feasible (for example, secure portal download) to minimize burden and improve satisfaction.

Penalties for Non-Compliance

Failure to provide timely access at a reasonable, Cost-Based Fee can trigger HIPAA Enforcement actions. The HITECH Act established Tiered Penalties that scale with culpability, from unknowing violations to willful neglect not corrected. Penalties are assessed per violation and can aggregate, and they are periodically adjusted for inflation.

Beyond monetary penalties, enforcement commonly includes corrective action plans that require policy updates, staff Privacy Training, monitoring, and proof of sustained compliance. Repeated or egregious failures to honor access rights at permissible fees increase enforcement risk substantially.

Enforcement and Audits

The Office for Civil Rights conducts investigations based on complaints and can initiate compliance reviews. Audits assess whether covered entities maintain written policies, a documented fee methodology, accurate fee schedules, and records showing how each fee was calculated. Clear logs, staff training records, and standardized workflows reduce exposure during audits.

To prepare, maintain a concise fee policy, a current average-cost schedule, and templates for actual-cost calculations. Validate that your Electronic Record Copies process supports common formats, secure transmission, and prompt fulfillment without unnecessary steps or charges.

Conclusion

In short, what fees are allowed under the HITECH Act come down to one standard: reasonable, Cost-Based Fees tied to copying and delivering the requested records—nothing more. Keep fees narrowly tailored, document how you calculated them, and reinforce staff readiness through ongoing Privacy Training to meet access obligations confidently and consistently.

FAQs

What types of fees are permissible under the HITECH Act?

Permissible fees are limited to copying labor, the cost of supplies when physical media or paper is requested, actual postage for mailed copies, and the preparation of an explanation or summary if the individual agrees in advance. All fees must be reasonable and strictly cost-based.

How much can covered entities charge for electronic medical records?

For Electronic Record Copies of information maintained electronically, you may charge either an actual-cost amount, an average-cost amount from a documented schedule, or a reasonable flat fee per request. The fee must reflect only allowed components and may not be calculated per page.

What fees are prohibited under HIPAA?

Prohibited fees include charges for search and retrieval, verification, general overhead, EHR licensing or storage costs, portal access fees, and per-page fees for electronic copies. You also cannot pass on the cost of compliance activities such as Privacy Training.

How are penalties for HITECH Act violations determined?

Penalties follow a Tiered Penalties model based on the level of culpability, the number of violations, and corrective actions taken. Remedies can include monetary penalties and corrective action plans that mandate policy changes, training, and ongoing monitoring.