Healthcare Information Security

HIPAA and Compliance News

HHS Clarifies HIPAA Regulation Patient Right of Access Costs

HHS released clarifications on HIPAA regulations regarding how much covered entities can charge individuals for copies of their own PHI under the patient right of access rule.

By Jacqueline LaPointe

- While HIPAA regulations state that patients have a right of access to their own health information, many individuals are left wondering just how much it will cost them to view their own PHI.  Fortunately, the Department of Health and Human Services (HHS) has released a clarification on the permissible fees that covered entities can charge an individual for copies of their own health information.

HHS updated patient right of access FAQs to clarify costs of PHI accessibility under HIPAA regulations

According to the updated FAQ webpage, despite common belief, $6.50 is not the maximum amount that covered entities can charge patients for a copy of their health information. Covered entities, including business associates, are allowed to calculate their own fees, even for ePHI requests, as long as it is within the limits of HIPAA’s Privacy Rule.

“Charging a flat fee not to exceed $6.50 per request is therefore an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically,” stated the updated FAQ section.

Covered entities are permitted to estimate the average allowable cost for processing patient requests or maintain a schedule for typical allowable labor costs.

Under the HIPAA Privacy Rule, allowable costs are the charges associated with copying PHI, such as paper supplies, toner, electronic media, labor for creating an explanation of health information, and postage. Allowable labor costs include photocopying paper records, scanning PHI into electronic format, converting the format of PHI, transferring data to a web-based portal, or mailing and emailing.

READ MORE: AMIA Calls for HIPAA Clarification in mHealth Patient Data

However, as the healthcare industry becomes more digitized, more patients are requesting electronic copies of PHI. For covered entities that do not wish to calculate the labor and supply costs for providing ePHI, organizations can charge a flat fee of $6.50 or lower, which includes labor, supplies, and postage fees.

The updated FAQ section also noted that these rules are not as strict as some covered entities have previously believed. For uncommon requests, covered entities are allowed to vary the price of obtaining personal health records.

“In these cases, the entity may wish to calculate actual costs to provide the requested copy, and it may do so as long as the costs are reasonable and only of the type permitted by the Privacy Rule,” explained the FAQ section. “An entity that chooses to calculate actual costs in these circumstances still must—as in other cases—inform the individual in advance of the approximate fee that may be charged for providing the copy requested.”

HHS had developed the patient right of access fact sheet to ensure that covered entities are not charging excessive amounts for patient access to PHI. The agency reported that health record copies should be given for free, but entities may charge for labor and supply costs associated with the request.

With the transition to value-based care, HHS explained that individuals may need more access to their own health information in order to improve patient-centered care. The agency released the clarifications to remind covered entities that socioeconomic status should not prevent any patient from receiving health record copies or transferring PHI to another healthcare organization.

READ MORE: HHS OIG Phone Scam Raises Patient Data Privacy Concerns

“HIPAA’s right of access is critical to enabling individuals to take ownership of their health and well-being – but this core right is rendered meaningless when individuals cannot afford to pay the fees,” Director of the Office of Civil Rights Jocelyn Samuels wrote in a previous blog post.

“Today’s clarification moves us toward the health care ecosystem of the future, where the individual is at the center of his or her care and seamless communication of relevant health information takes place among patients, their families, and their health care providers.”

Additionally, some covered entities may find that the costs associated with the failure to provide requested PHI are much higher than $6.50.

Last week, four patients filed a HIPAA complaint against Myriad Genetics after the genetic testing company refused to give them a copy of complete lab results. Myriad Genetics had provided the individuals with cancer screening results regarding clinically significant genes, but denied them access to results involving benign genes.

The genetic testing company cited that the information was not part of the designated record set as defined under the Privacy Rule, which includes all PHI that can be used by a covered entity to make healthcare decisions.

READ MORE: White House Finds HHS Strengthening Cybersecurity Measures

After the individuals threatened legal action, Myriad Genetics released the requested health information, but maintained that it had not violated HIPAA Rules.

Healthcare technology is constantly evolving and PHI is taking on new shapes, but HHS has reminded the community that patient right of access rules are still applicable to all formats of health information. As patients are requesting to view more PHI, such as genetic testing results, entities must be aware of what they can share, when they need to share it by, and how much it’ll cost to fulfill patient requests.

Dig Deeper:

Patient Right of Access: Breaking Down HIPAA Rules

Understanding HIPAA Compliance, Violation Concerns


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...