Can We Charge for Medical Records? A Guide to HIPAA's Rules on Fees for Access (45 CFR § 164.524(c)(4))
Executive Summary
Patients have the right under HIPAA to access their medical records, and providers may charge a fee but only under strict limitations. Section 164.524(c)(4) permits covered entities to impose a reasonable, cost-based fee for copies of protected health information (PHI), but not for verification, search, or handling. For small practices, understanding what can (and cannot) be charged is essential for compliance and for avoiding enforcement actions by the Office for Civil Rights (OCR). This guide breaks down what HIPAA allows, what HHS clarifies, and how to calculate fees legally and transparently.
Introduction
“Can I charge a patient for their records?” is one of the most common, and misunderstood questions from small healthcare providers.
Patients often request copies of their health records for second opinions, personal use, or transfers. HIPAA requires that covered entities provide access to PHI in a timely manner. While providers may charge a fee, HIPAA
strictly limits what can be included in that fee.
This guide explains what Section 164.524(c)(4) allows regarding charging for copies of medical records, the three approved fee calculation methods, and how to stay compliant in everyday practice.
What Does HIPAA Say About Charging for Records?
Under 45 CFR § 164.524(c)(4), a provider may charge a fee only if:
- The fee is reasonable and cost-based
- It covers only labor for copying, supplies, and postage
- The form and format requested by the patient are taken into account
- No charge is made for tasks like retrieval, verification, or searching for the records
This rule applies whether the request is made by the patient directly or by a third party on behalf of the patient.
Importantly, HIPAA preempts state law when it comes to setting fees that exceed federal limits.
Permitted Components of a Cost-Based Fee
According to HHS guidance, the following costs may be included in the fee:
- Labor for copying the PHI, whether paper or electronic
- Supplies, such as paper or portable media (CD, USB)
- Postage for mailing records at the patient’s request
- Preparation of a summary (only if agreed to by the patient)
What may not be included:
- Labor to locate, retrieve, or verify the records
- Costs of maintaining systems or infrastructure
- Overhead costs (electricity, IT, storage)
- Flat fees that exceed limits for digital copies
Three Methods to Calculate Fees (as per HHS Guidance)
1. Actual Cost Calculation
Providers may calculate the exact labor and supply costs for each request.
- Requires documentation of staff time, hourly wages, and materials
- Offers flexibility but is complex to implement consistently
2. Average Cost Schedule
Providers may set a standard fee schedule based on average labor and supply costs.
- Easier to administer than actual cost
- Must be regularly updated and documented
- Should be reasonable across different record formats
Example:
Electronic PDF by email: $6.50 flat
Paper copies: $0.25 per page + $5 labor
3. Flat Fee Option (for electronic copies only)
HHS allows a flat fee of no more than $6.50 for electronic copies of PHI maintained electronically.
- Applies to patient requests for e-delivery (e.g., secure email, patient portal)
- Includes labor, supplies, and postage
- Cannot be exceeded unless actual or average cost method is used and documented
Real-World Case Study: Charging Excessive Fees
In 2019, a small pediatric clinic was investigated after a parent filed a complaint stating they were charged $45 for a digital copy of their child’s medical record.
OCR found that the clinic:
- Used a third-party copy service with outdated per-page fees
- Did not distinguish between patient and third-party requests
- Had no fee calculation documentation
The clinic was required to:
- Refund overcharged patients
- Eliminate third-party fee practices for direct access requests
- Implement a compliant fee schedule with staff training
Lesson: Failing to follow HIPAA’s cost-based standard even unintentionally can result in federal enforcement, public scrutiny, and corrective action.
Requests from Third Parties vs. Direct Patient Requests
HIPAA’s fee limitations apply only when the patient or their personal representative requests access to PHI.
Requests that fall under the right of access include:
- Patient asks for records sent to themselves
- Patient asks for records sent to a designated third party
- Patient asks for records via email or portable media
These are not subject to higher third-party reproduction fees.
In contrast, subpoenas or insurance company requests made for business or legal purposes not patient-directed may follow state rules, including higher fees.
Frequently Asked Questions About Charging for PHI
Can I charge per page?
Yes for paper copies but only if:
- Your fee is cost-based (not a state-imposed statutory rate)
- It reflects actual or average cost
- You do not charge per page for electronic records
What if the patient wants a CD or USB?
You may include the cost of the media and labor to copy it, but not administrative overhead. Always offer free email or portal delivery if available.
Can I charge for mailing records?
Yes, but only actual postage costs, not handling or packaging fees.
Can I refuse to release records if fees are unpaid?
Yes but only for previous requests. You cannot withhold current requested records due to unpaid balances from earlier access requests.
Checklist for HIPAA-Compliant Access Fees
| Task | Responsible Party | Frequency |
|---|---|---|
| Develop a written fee schedule for records | Compliance Officer | Annual |
| Limit fees to cost-based items only | Billing Dept. | Ongoing |
| Train staff on proper application of fees | Office Manager | Bi-Annual |
| Offer flat $6.50 option for e-records | Records Coordinator | Always |
| Maintain documentation of average cost calculations | Privacy Officer | Annual |
| Review contracts with copy services for compliance | Administrator | Annual |
Practical Tip: Post Fee Policies Publicly
To improve transparency and reduce disputes, consider posting your access fee schedule on:
- Your website
- Patient portal
- Reception area or forms desk
Sample notice:
“You have the right to access your medical records. We provide electronic copies by email or portal for a flat $6.50. Paper copies are charged based on actual cost, never exceeding HIPAA guidelines.”
Common Pitfalls When Charging for Medical Records Under HIPAA
- Prohibited fees
→ Fix: Charge only for copying labor, supplies, and postage. No search or retrieval fees. - Overcharging for electronic copies
→ Fix: Offer flat fee ≤ $6.50 for e-records delivered electronically. No per-page rates for PDFs. - Misapplying third-party rates to patients
→ Fix: Apply HIPAA’s lower cost limits to all patient-directed requests, even if sent to others. - No fee documentation
→ Fix: Keep a written fee schedule with breakdowns of how costs are calculated. - Withholding due to old debts
→ Fix: You can’t deny new records because of unpaid fees for past requests. - Poor transparency
→ Fix: Clearly post and explain your fees and patient rights to avoid confusion.
Authoritative Guidance and References
Final Takeaways
You can charge a patient for access to their PHI, but only if your fees meet HIPAA’s narrow cost-based criteria. Forgetting this detail or relying on outdated third-party fee structures can expose your practice to federal
complaints and reputational harm.
To comply with § 164.524(c)(4):
- Use only labor, supplies, and postage in your fee
- Offer the flat $6.50 option for e-delivery
- Document your cost calculation methods
- Train staff to distinguish between patient and legal requests
- Post clear notices of access rights and fees
Patients don’t expect free records, but they do expect fairness and transparency. By following the rules, you protect both their rights and your practice.