HITECH Electronic Copy Right and Sale-of-PHI Prohibition
Two HITECH-era patient-rights expansions: the right to an electronic copy of EHR-resident PHI and the general prohibition on remuneration for PHI absent authorization.
Primary source
45 CFR 164.524(c)(2) and 164.502(a)(5) — eCFR →https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Two HITECH-era patient-rights changes implemented by the 2013 Omnibus Rule sit at the intersection of HITECH and the Privacy Rule.
Electronic copy right (45 CFR 164.524(c)(2)): when PHI is maintained electronically in a designated record set, the individual has the right to obtain a copy in the electronic form and format requested if readily producible, or in a readable electronic format otherwise agreed. The fee is limited to a reasonable, cost-based amount for labor and supplies. The right covers transmission to a third party at the individual's direction with the same fee constraints.
Sale of PHI prohibition (45 CFR 164.502(a)(5)(ii)): a covered entity or business associate may not receive direct or indirect remuneration in exchange for PHI without a valid authorization, with narrow exceptions (public health, research at cost, treatment and payment, sale or merger of the entity, business associate services, the individual's request, certain disclosures otherwise permitted with remuneration limited to cost).
The right-of-access electronic-copy expansion is the substantive driver behind OCR's Right of Access Initiative enforcement actions. Practices unable to produce an electronic copy in the requested format within 30 days remain the most common fact pattern in those settlements.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationHITECH Act Overview (Pub. L. 111-5, Title XIII)Title XIII of the American Recovery and Reinvestment Act amended HIPAA in 2009 to add breach notification, direct business associate liability, increased penalties, and the Meaningful Use program.
- RegulationHIPAA Authorization Requirements (45 CFR 164.508)Required elements and statements for a valid HIPAA authorization, plus the prohibition on combining authorizations with other documents in most circumstances.
- RegulationHIPAA Right of Access (45 CFR 164.524)Individuals have a right to inspect and obtain copies of their PHI in a designated record set, in the form and format requested when readily producible, within 30 days.
- ComplianceBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.
- GlossaryHIPAA Privacy RuleThe federal regulation at 45 CFR Part 164 Subpart E that governs the use and disclosure of PHI.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- ComplianceBusiness Associate Agreement Template (2026) + Counterparty TrackerA 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.
- ComplianceOhio Healthcare Compliance: Data Protection Act + State SpecificsOhio Data Protection Act (Ohio Rev. Code § 1354) vs HIPAA: the affirmative defense framework, named cybersecurity frameworks, and what Ohio breach notification adds.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.