Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $200,000 civil monetary penalty against Oregon Health & Science University (OHSU), a public academic health center and research university, for failing to comply with an individual’s right to timely access her medical records through a personal representative.
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s “Right of Access” provisions, individuals or their personal representatives are entitled to timely access to their health information. Covered entities, such as health plans and most healthcare providers, must provide requested records within 30 days, with the possibility of a single 30-day extension, and may charge a reasonable, cost-based fee. The OCR enforces the HIPAA Privacy Rule, which sets national standards to safeguard medical records, limits the use and disclosure of protected health information, and grants individuals specific rights, including the right to access and obtain copies of their health records promptly.
“The HIPAA Privacy Rule mandates that individuals and their personal representatives receive timely access to their medical records,” stated OCR Acting Director Anthony Archeval. “This obligation persists even when a covered entity delegates the task of responding to HIPAA right of access requests to a business associate.”
OCR launched an investigation into OHSU following a complaint filed in January 2021 by the individual’s personal representative—marking the second complaint OCR received on this issue. In September 2020, OCR had resolved the first complaint (received in May 2020) by notifying OHSU of its potential noncompliance with the Privacy Rule’s Right of Access provisions. Although OHSU provided a portion of the requested records in April 2019, it failed to furnish the complete set of records until August 2021—nearly a year after OCR’s September 2020 notification and 16 months after the initial request in April 2019. OCR’s investigation concluded that OHSU did not take timely action to fulfill the right of access requests.
In September 2024, OCR issued a Notice of Proposed Determination to impose a $200,000 civil monetary penalty. OHSU chose not to contest the penalty and waived its right to a hearing. As a result, in December 2024, OCR finalized its decision and enforced the $200,000 penalty against OHSU.
The Notice of Proposed Determination may be found at: https://www.hhs.gov/sites/default/files/oregon-health-science-university-npd.pdf.
The Notice of Final Determination may be found at: https://www.hhs.gov/sites/default/files/oregon-health-science-university-nfd.pdf.