skip to Main Content

Individual Access and Fees

For many patients, fees are a barrier to accessing and using their health data — charges for accessing information can be anything from inconvenient to prohibitive. Likewise, providers are often perplexed about what fees are permitted when fulfilling an information request . Thankfully, OCR’s Individual Right of Access Guidance has plenty to say about fees, and we’ve laid out their language in an understandable format. Don’t forget to take the quiz!

Ready to Test Your Knowledge? Take the Quiz!

OCR Guidance on Fees

“The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of:

  1. labor for copying the PHI requested by the individual, whether in paper or electronic form;
  2. supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;
  3. postage, when the individual requests that the copy, or the summary or explanation, be mailed; and
  4. preparation of an explanation or summary of the PHI, if agreed to by the individual. See 45 CFR 164.524(c)(4).

The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.”¹

1. HHS: Health Information Privacy Division. (2016, February). “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.”

Labor

Labor

“Labor for copying the PHI requested by the individual, whether in paper or electronic form.  Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.  Labor for copying does not include costs associated with reviewing the request for access; or searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other record, and segregating or otherwise preparing the PHI that is responsive to the request for copying.

While it has always been prohibited to pass on to an individual labor costs related to search and retrieval, our experience in administering and enforcing the HIPAA Privacy Rule has shown there is confusion about what constitutes a prohibited search and retrieval cost and this guidance further clarifies this issue.  This clarification is important to ensure that the fees charged reflect only what the Department considers “copying” for purposes of applying 45 CFR 164.524(c)(4)(i) and do not impede individuals’ ability to receive a copy of their records.”

Supplies

Supplies

Supplies for creating the paper copy (e.g.,  paper, toner) or electronic media (e.g., CD or USB drive) if the  individual requests that the electronic copy be provided on portable media.  However, a covered entity may not require an  individual to purchase portable media; individuals have the right to have their  PHI e-mailed or mailed to them upon request.”

Summaries

Summaries

Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.”

Postage

Postage

Postage, when the individual requests that the copy, or the summary or explanation, be mailed.

Exclusions Apply

“Thus, costs associated with updates to or maintenance of systems and data, capital for data storage and maintenance, labor associated with ensuring compliance with HIPAA (and other applicable law) in fulfilling the access request (e.g., verification, ensuring only information about the correct individual is included, etc.) and other costs not included above, even if authorized by State law, are not permitted for purposes of calculating the fees that can be charged to individuals.  See 45 CFR 164.524(c)(4).”

Data Should be Free

“Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge.  While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee.  Providing individuals with access to their health information is a necessary component of delivering and paying for health care. We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.”

Want More Details?

OCR answers some frequently asked questions:

  • Specifics of Labor Costs

    What labor costs may a covered entity include in the fee that may be charged to individuals to provide them with a copy of their PHI?

    A covered entity may include reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

  • View, Download, and Transmit Functionality

    May a covered health care provider charge a fee under HIPAA for individuals to access the PHI that is available through the provider’s EHR technology that has been certified as being capable of making the PHI accessible?

    No. The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Where an individual requests or agrees to access her PHI available through the View, Download, and Transmit functionality of the CEHRT, we believe there are no labor costs and no costs for supplies to enable such access. Thus, a covered health care provider cannot charge an individual a fee when it fulfills an individual’s HIPAA access request using the View, Download, and Transmit functionality of the provider’s CEHRT.

  • Outsourcing Data Access to Business Associates

    May a covered entity that uses a business associate to act on individual requests for access pass on the costs of outsourcing this function to individuals when they request copies of their PHI?

    No. A covered entity may charge individuals a reasonable, cost-based fee that includes only labor for copying the PHI, costs for supplies, labor for creating a summary or explanation of the PHI if the individual requests a summary or explanation, and postage, if the PHI is to be mailed. See 45 CFR 164.524(c)(4). Administrative and other costs associated with outsourcing the function of responding to individual requests for access cannot be the basis for any fees charged to individuals for providing that access.

  • Providing Advance Notice of Fees

    Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?

    Yes. When an individual requests access to her PHI and the covered entity intends to charge the individual the limited fee permitted by the HIPAA Privacy Rule for providing the individual with a copy of her PHI, the covered entity must inform the individual in advance of the approximate fee that may be charged for the copy. An individual has a right to receive a copy of her PHI in the form and format and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. Since the fee a covered entity is permitted to charge will vary based on the form and format and manner of access requested or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged, inform the individual of any associated fees that may impact the form and format and manner in which the individual requests or agrees to receive a copy of her PHI. The failure to provide advance notice is an unreasonable measure that may serve as a barrier to the right of access. Thus, this requirement is necessary for the right of access to operate consistent with the HIPAA Privacy Rule.  Further, covered entities should post on their web sites or otherwise make available to individuals an approximate fee schedule for regular types of access requests.  In addition, if an individual requests, covered entities should provide the individual with a breakdown of the charges for labor, supplies, and postage, if applicable, that make up the total fee charged.  We note that this information would likely be requested in any action taken by OCR in enforcing the individual right of access, so entities will benefit from having this information readily available.

  • Three Acceptable Ways to Calculate the Fee

    How can covered entities calculate the limited fee that can be charged to individuals to provide them with a copy of their PHI?

    The HIPAA Privacy Rule permits a covered entity to charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individuals’ PHI. In addition to being reasonable, the fee may include only certain labor, supply, and postage costs that may apply in providing the individual with the copy in the form and format and manner requested or agreed to by the individual. The following methods may be used, as specified below, to calculate this fee.

  • $6.50 Flat Fee

    Is $6.50 the maximum amount that can be charged to provide individuals with a copy of their PHI?

    No. For any request from an individual, a covered entity (or business associate operating on its behalf) may calculate the allowable fees for providing individuals with copies of their PHI: (1) by calculating actual allowable costs to fulfill each request; or (2) by using a schedule of costs based on average allowable labor costs to fulfill standard requests. Alternatively, in the case of requests for an electronic copy of PHI maintained electronically, covered entities may: (3) charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage). Charging a flat fee not to exceed $6.50 per request is therefore an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.

    In some cases where an entity chooses generally to use the average cost method, or chooses a flat fee, as described above, for electronic copies of PHI maintained electronically, the entity may receive an unusual or uncommon type of request that it had not considered in setting up its fee structure. In these cases, the entity may wish to calculate actual costs to provide the requested copy, and it may do so as long as the costs are reasonable and only of the type permitted by the Privacy Rule. An entity that chooses to calculate actual costs in these circumstances still must—as in other cases—inform the individual in advance of the approximate fee that may be charged for providing the copy requested.

  • HIPAA Privacy Rule vs. State Fee Schedules

    Are costs authorized by State fee schedules permitted to be charged to individuals when providing them with a copy of their PHI under the HIPAA Privacy Rule?

    No, except in cases where the State authorized costs are the same types of costs permitted under 45 CFR 164.524(c)(4) of the HIPAA Privacy Rule, and are reasonable.  The bottom line is that the costs authorized by the State must be those that are permitted by the HIPAA Privacy Rule and must be reasonable.  The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual.  Thus, labor (e.g., for search and retrieval) or other costs not permitted by the Privacy Rule may not be charged to individuals even if authorized by State law.  Further, a covered entity’s fee for providing an individual with a copy of her PHI must be reasonable in addition to cost-based, and there may be circumstances where a State authorized fee is not reasonable, even if the State authorized fee covers only permitted labor, supply, and postage costs.  For example, a State-authorized fee may be higher than the covered entity’s cost to provide the copy of PHI.  In addition, many States with authorized fee structures have not updated their laws to account for efficiencies that exist when generating copies of information maintained electronically.  Therefore, these State authorized fees for copies of PHI maintained electronically may not be reasonable for purposes of 45 CFR 164.524(c)(4).

  • HIPAA Privacy Law vs. State Laws Requiring Greater Rights of Access

    A State law requires that a health care provider give individuals one free copy of their medical records but HIPAA permits the provider to charge a fee.  Does HIPAA override the State law?

    No, so the health care provider must comply with the State law and provide the one free copy.  In contrast to State laws that authorize higher or different fees than are permitted under HIPAA, HIPAA does not override those State laws that provide individuals with greater rights of access to their health information than the HIPAA Privacy Rule does.  See 45 CFR 160.202 and 160.203.  This includes State laws that: (1) prohibit fees to be charged to provide individuals with copies of their PHI; or (2) allow only lesser fees than what the Privacy Rule would allow to be charged for copies.

  • Disclosing Information to Third Parties

    When do the HIPAA Privacy Rule limitations on fees that can be charged for individuals to access copies of their PHI apply to disclosures of the individual’s PHI to a third party?

    The fee limits apply when an individual directs a covered entity to send the PHI to the third party.  Under the HIPAA Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply, and postage costs that may apply in fulfilling the request.  See 45 CFR 164.524(c)(4).

  • Putting Fees Toward Outstanding Medical Bills

    May a health care provider withhold a copy of an individual’s PHI from the individual who requested it because the covered entity used the individual’s payment of the allowable fee for the copy to instead pay an outstanding bill for health care services provided to the individual?

    No.  Just as a covered entity may not withhold or deny an individual access to his PHI on the grounds that the individual has not paid the bill for health care services the covered entity provided to the individual, a covered entity may not withhold or deny access on the grounds that the covered entity used the individual’s payment of the fee for a copy of his PHI to offset or pay the individual’s outstanding bill for health care services.

  • Charging for Inspection of PHI

    Can an individual be charged a fee if the individual requests only to inspect her PHI at the covered entity (i.e., does not request that the covered entity produce a copy of the PHI)?

    No.  The fees that can be charged to individuals exercising their right of access to their PHI apply only in cases where the individual is to receive a copy of the PHI, versus merely being provided the opportunity to view and inspect the PHI.  The HIPAA Privacy Rule provides individuals with the right to inspect their PHI held in a designated record set, either in addition to obtaining copies or in lieu thereof, and requires covered entities to arrange with the individual for a convenient time and place to inspect the PHI.  See 45 CFR 164.524(c)(1) and (c)(2).  Consequently, covered entities should have in place reasonable procedures to enable individuals to inspect their PHI, and requests for inspection should trigger minimal additional effort by the entity, particularly where the PHI requested is of the type easily accessed onsite by the entity itself in the ordinary course of business.  For example, covered entities could use the capabilities of Certified EHR Technology (CEHRT) to enable individuals to inspect their PHI, if the individuals agree to the use of this functionality.

    Further, a covered entity may not charge an individual who, while inspecting her PHI, takes notes, uses a smart phone or other device to take pictures of the PHI, or uses other personal resources to capture the information.  If the individual is making the copies of PHI using her own resources, the covered entity may not charge a fee for those copies, as the copying is being done by the individual and not the entity.  A covered entity may establish reasonable policies and safeguards regarding an individual’s use of her own camera or other device for copying PHI to assure that equipment or technology used by the individual is not disruptive to the entity’s operations and is used in a way that enables the individual to copy or otherwise memorialize only the records to which she is entitled.  Further, a covered entity is not required to allow the individual to connect a personal device to the covered entity’s systems.

Ready to Test Your Knowledge? Take the Quiz!
Back To Top