Rules Navigator

HSS dings research university for failure to provide timely access to patient records

Aerial View of OHSU (Oregon Health Science University).
Photo: Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

HHS said the penalty marks OCR’s fifty-third HIPAA Right of Access enforcement action regarding patient access to medical records.

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), just announced a $200,000 civil monetary penalty against Oregon Health & Science University (OHSU), a public academic health center and research university. OCR accused OHSU of violating an individual’s right to timely access her medical records through a personal representative, citing violations of the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA’s Privacy Rule’s  ”Right of Access” provisions require that individuals or their personal representatives have timely access to health information requested from a HIPAA covered entity (health plans and most health care providers) within 30 days, with the possibility of one 30-day extension and for a reasonable, cost-based fee.

OCR enforces the HIPAA Privacy Rule, which establishes national standards to protect individuals’ medical records; sets limits and conditions on the uses and disclosures of protected health information; and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records. 

Right of Access denial alleged

OCR initiated an investigation of OHSU based on a complaint filed in January 2021 from the individual’s personal representative, and OCR said this was the second complaint OCR received for this matter.

In September 2020, OCR resolved the first complaint (received in May 2020) when OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions. 

Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records until August 2021, which was nearly a year after OHSU received OCR’s September 2020 letter, and 16 months after the first request for records in April 2019. OCR said its investigation uncovered the fact that OHSU failed to take timely action in response to the right of access requests.

In September 2024, OCR issued a Notice of Proposed Determination seeking to impose the $200,000 civil monetary penalty, and OHSU waived its right to a hearing and did not contest OCR’s imposition of a civil monetary penalty.

The HIPAA Privacy Rule

“The HIPAA Privacy Rule requires that individuals and their personal representatives receive timely access to their medical records,” said OCR Acting Director Anthony Archeval in the HHS press release. “A covered entity’s responsibility to provide timely access continues, even when a covered entity contracts with a business associate to respond to HIPAA right of access requests.”

OCR has increased its HIPAA enforcement activities in recent years and is imposing more financial penalties for HIPAA violations, the HIPAA Journal reports.

OCR has launched two enforcement initiatives since 2019 – the enforcement initiative targeting noncompliance with the HIPAA Right of Access at issue in this case), and (as recently as early January 2025) an initiative targeting noncompliance with the risk analysis performed as part of the HIPAA Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.

In its latest tally (dated October 31, 2024) OCR said it has settled or imposed a civil money penalty in 152 cases resulting in a total dollar amount of $144,878,972.00.

, , , , , ,

You may also like