The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) fined Rio Hondo Community Mental Health Center in California $100,000 for failing to provide timely access to a patient’s medical records.
The OCR began investigating the mental health center after receiving a complaint from a patient who was repeatedly denied access to their medical records despite submitting multiple written and telephone requests in July and August 2020.
Although the patient eventually received the requested information, Rio Hondo took nearly seven months to fulfill the request, exceeding the 30 days HIPAA’s Privacy Rule permits.
Consequently, in July 2024, OCR issued a notice of proposed determination to impose a $100,000 fine. Rio Hondo waived its right to a hearing, did not contest OCR’s findings, and accepted the penalty.
“Patients should never be in the position of needing to request their own medical records over and over again before getting access to them,” said OCR Director Melanie Fontes Rainer.
She added, “Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”
HIPAA’s Privacy Rule grants patients the right to access their medical information within 30 days of a request, with the option for a 30-day extension under certain circumstances.
Furthermore, providers must only charge a reasonable, cost-based fee for fulfilling these requests.
Timely access to medical records upholds patient autonomy, allowing individuals to make informed decisions about their health and treatment options.
Patients have the right to access their health information, and healthcare practices must have the necessary processes and secure systems to meet these legal obligations.
Read also: Patient rights under HIPAA
Yes, HIPAA gives patients the right to request amendments to their medical records if they believe the information is inaccurate or incomplete.
When providers are HIPAA compliant, they demonstrate a commitment to safeguarding patient privacy, improving trust in the patient-provider relationship.
Providers must implement administrative, physical, and technical safeguards (like using Paubox email), conduct regular risk assessments, and provide staff training to maintain HIPAA compliance.