Can an individual be charged a fee if the individual requests only to inspect her PHI at the covered entity (i.e., does not request that the covered entity produce a copy of the PHI)?

No. The fees that can be charged to individuals exercising their right of access to their PHI apply only in cases where the individual is to receive a copy of the PHI, versus merely being provided the opportunity to view and inspect the PHI. The HIPAA Privacy Rule provides individuals with the right to inspect their PHI held in a designated record set, either in addition to obtaining copies or in lieu thereof, and requires covered entities to arrange with the individual for a convenient time and place to inspect the PHI. See 45 CFR 164.524(c)(1) and (c)(2). Consequently, covered entities should have in place reasonable procedures to enable individuals to inspect their PHI, and requests for inspection should trigger minimal additional effort by the entity, particularly where the PHI requested is of the type easily accessed onsite by the entity itself in the ordinary course of business. For example, covered entities could use the capabilities of Certified EHR Technology (CEHRT) to enable individuals to inspect their PHI, if the individuals agree to the use of this functionality.

Further, a covered entity may not charge an individual who, while inspecting her PHI, takes notes, uses a smart phone or other device to take pictures of the PHI, or uses other personal resources to capture the information. If the individual is making the copies of PHI using her own resources, the covered entity may not charge a fee for those copies, as the copying is being done by the individual and not the entity. A covered entity may establish reasonable policies and safeguards regarding an individual’s use of her own camera or other device for copying PHI to assure that equipment or technology used by the individual is not disruptive to the entity’s operations and is used in a way that enables the individual to copy or otherwise memorialize only the records to which she is entitled. Further, a covered entity is not required to allow the individual to connect a personal device to the covered entity’s systems.