Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Rio Hondo Community Mental Health Center (“Rio Hondo”) in California. The penalty resolves an investigation into Rio Hondo’s failure to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) for a reasonable, cost-based fee. OCR enforces the HIPAA Privacy Rule, which establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.

“Patients should never be in the position of needing to request their own medical records over and over again before getting access to them,” said OCR Director Melanie Fontes Rainer. “Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”

OCR launched an investigation after receiving a complaint from a patient who was not given timely access to their medical records despite multiple requests in writing and by telephone. OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them. The patient made multiple telephone calls in July and August 2020 regarding the status of their request but still did not receive the requested records. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule. In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. As a result of OCR’s investigation, the patient received their records in 2020.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/rio-hondo/notice-proposed-determination/index.html

The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/rio-hondo/notice-final-determination/index.html

OCR’s guidance on the HIPAA right of access is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. 

Create HIPAA policy for Patients’ Rights to Access PHI and its Procedure