OHSU fined $200k for delayed patient records in HIPAA crackdown

Oregon Health & Science University (OHSU) faces a $200,000 fine for delaying patient records, marking yet another HIPAA Right of Access enforcement.

What happened

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $200,000 civil monetary penalty on Oregon Health & Science University (OHSU) for failing to provide a patient’s personal representative with timely access to medical records. The penalty marks OCR’s 53rd enforcement action under the HIPAA Right of Access initiative, which tries to ensure that individuals can obtain their health records without unnecessary delays.

Going deeper

Under the HIPAA Privacy Rule, healthcare providers must provide requested medical records within 30 days, with an optional 30-day extension under certain conditions. OCR enforces these rules to ensure patient rights are upheld, even when healthcare providers rely on third-party business associates to handle access requests.

OCR launched an investigation into OHSU following a January 2021 complaint from the personal representative of a patient. This was the second complaint regarding the issue, with the first filed in May 2020. OHSU had partially provided the requested records in April 2019 but failed to fully comply until August 2021 which was 16 months after the initial request.

OCR had previously notified OHSU in September 2020 of potential noncompliance, yet the issue persisted. As a result, in September 2024, OCR issued a Notice of Proposed Determination, seeking to impose the fine. OHSU waived its right to contest the penalty, and OCR finalized the $200,000 penalty in December 2024.

What was said

OCR Acting Director Anthony Archeval stated that healthcare providers must comply with HIPAA’s Right of Access requirements, regardless of whether they outsource records management. He stated, “A covered entity’s responsibility to provide timely access continues, even when a covered entity contracts with a business associate to respond to HIPAA right of access requests.”

The big picture

Regulators are making it clear that healthcare providers cannot afford to treat patient records as an afterthought. Access to medical information is not just a regulatory requirement but a fundamental patient right. Delays in providing records can disrupt treatment, create legal issues, and erode trust in the healthcare system. Increased enforcement actions reflect a growing expectation that organizations take compliance seriously. Relying on third-party vendors does not remove accountability, and failing to meet deadlines can lead to financial penalties and reputational damage.

FAQs

Who enforces HIPAA’s Right of Access rules?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA’s Right of Access regulations.

How are HIPAA penalties determined?

OCR assesses fines based on factors like the severity of the violation, the duration of noncompliance, and whether the provider took corrective action after being notified.

What should patients do if they face delays in accessing their records?

Patients can file a complaint with OCR if their healthcare provider fails to provide records within the required timeframe.

Has OHSU faced HIPAA violations before?

While this case pertains specifically to Right of Access violations, OHSU has previously faced HIPAA related enforcement actions, including past data breaches.

What steps can healthcare providers take to avoid similar fines?

Providers should implement clear policies for record requests, regularly audit compliance, and ensure third-party vendors adhere to HIPAA requirements.