HIPAA Fee Limitations for Record Requests

Health care providers and staff commonly receive medical record requests from current or former patients of their practice for a variety of reasons. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) allows for patients to request copies of their own records, with a few limitations, but notably, the regulations also limit the amount a provider may charge for responding to the records request. In short, the charged amount must be a reasonable, cost-based fee.

Federal regulation provides that individuals may have access to their own protected health information (“PHI”) upon making a request to their health care provider. The individual’s health care provider, or in some instances another covered entity or business associate, may charge a fee for producing PHI, however, this fee is subject to the limitations set forth in the Privacy Rule.

The Department of Health and Human Services (“HHS”) provides three methodologies for charging a reasonable, cost-based fee for responding to a record request:

Actual Costs. Actual labor costs may be calculated as long as the labor included is only for copying and the labor rates used are reasonable. Costs for search and retrieval of records may not be charged. Supplies or postage costs incurred may be added to the labor costs.

Average Costs. If a covered entity does not wish to calculate actual labor costs for each individual request, a schedule of costs for labor based on average labor costs may be utilized. Per-page fees may only be charged in limited circumstances.

Flat Fee for Electronic Copies of PHI Maintained Electronically. A flat fee may be charged for all requests for electronic copies of PHI provided that the flat fee not exceed $6.50, inclusive of all labor, supplies, and applicable postage.

When a health care provider chooses to charge any type of fee when responding to an individual’s request for PHI, the provider must inform individuals in advance of the approximate fee it will charge for responding to the request for PHI. HHS has published guidance on this issue, providing that “the failure to provide advance notice is an unreasonable measure that may serve as a barrier to the right of access.” Additionally, an individual may request that a covered entity provide a breakdown of the charges for labor, supplies, and postage that amount to the total fee charged. If such a request is made, the covered entity should provide this to the individual.

The Privacy Rule further requires that a covered entity respond to an individual’s request for PHI within 30 days of receipt of the request, unless an extension has been requested. To ensure consistency and compliance with these rules, a health care provider or practice should develop policies and procedures to address how their individual organization responds to records requests.

For more information about an Individual’s Right under HIPAA to access their health information, visit the HHS website at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

If you have received a records request and have additional questions about how to respond, please feel free to contact an attorney with BrownWinick’s Health Law practice group.