Are costs authorized by State fee schedules permitted to be charged to individuals when providing them with a copy of their PHI under the HIPAA Privacy Rule?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

No, except in cases where the State authorized costs are the same types of costs permitted under 45 CFR 164.524(c)(4) of the HIPAA Privacy Rule, and are reasonable. The bottom line is that the costs authorized by the State must be those that are permitted by the HIPAA Privacy Rule and must be reasonable. The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Thus, labor (e.g., for search and retrieval) or other costs not permitted by the Privacy Rule may not be charged to individuals even if authorized by State law. Further, a covered entity’s fee for providing an individual with a copy of her PHI must be reasonable in addition to cost-based, and there may be circumstances where a State authorized fee is not reasonable, even if the State authorized fee covers only permitted labor, supply, and postage costs. For example, a State-authorized fee may be higher than the covered entity’s cost to provide the copy of PHI. In addition, many States with authorized fee structures have not updated their laws to account for efficiencies that exist when generating copies of information maintained electronically. Therefore, these State authorized fees for copies of PHI maintained electronically may not be reasonable for purposes of 45 CFR 164.524(c)(4).