Question: Since patients’ rights to access their medical records continue to dominate the HHS Office for Civil Rights (OCR) enforcement activity, we had a question about state costs vs. federal costs for protected health information (PHI) requests. What should we do if our state law is different from HIPAA regarding fees that we may charge for providing patients with copies of their medical records? Should we follow the federal HIPAA regulations, or must we abide by our state law? Georgia Subscriber Answer: The answer depends on whether the state law provides individuals with greater rights of access to their PHI than the HIPAA Privacy Rule does, according to the Department of Health & Human Services (HHS). This would include state laws that: Example: If your state law requires healthcare providers to furnish individuals with one free copy of their medical records, even though HIPAA allows you to charge a fee, HIPAA does not override the state law. Conversely, HIPAA may trump costs authorized by state fee schedules. The HIPAA Privacy Rule allows you to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs associated with providing an individual with a copy of their PHI in the form and format that the individual agreed to or requested. With this in mind, you can charge state-authorized fees only if those fees are the same as the fees permitted by the HIPAA Privacy Rule and are reasonable. So if your state-authorized fee is higher than your cost to provide the copy of PHI, you cannot charge the state fee. Also, keep in mind that many states with authorized fee structures have not yet updated their laws to account for the efficiencies that now exist when generating copies of electronic PHI.