Oregon Health & Science University (OHSU) faces a $200,000 fine for delaying patient records, marking yet another HIPAA Right of Access enforcement.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $200,000 civil monetary penalty on Oregon Health & Science University (OHSU) for failing to provide a patient’s personal representative with timely access to medical records. The penalty marks OCR’s 53rd enforcement action under the HIPAA Right of Access initiative, which tries to ensure that individuals can obtain their health records without unnecessary delays.
Under the HIPAA Privacy Rule, healthcare providers must provide requested medical records within 30 days, with an optional 30-day extension under certain conditions. OCR enforces these rules to ensure patient rights are upheld, even when healthcare providers rely on third-party business associates to handle access requests.
OCR launched an investigation into OHSU following a January 2021 complaint from the personal representative of a patient. This was the second complaint regarding the issue, with the first filed in May 2020. OHSU had partially provided the requested records in April 2019 but failed to fully comply until August 2021 which was 16 months after the initial request.
OCR had previously notified OHSU in September 2020 of potential noncompliance, yet the issue persisted. As a result, in September 2024, OCR issued a Notice of Proposed Determination, seeking to impose the fine. OHSU waived its right to contest the penalty, and OCR finalized the $200,000 penalty in December 2024.
OCR Acting Director Anthony Archeval stated that healthcare providers must comply with HIPAA’s Right of Access requirements, regardless of whether they outsource records management. He stated, “A covered entity’s responsibility to provide timely access continues, even when a covered entity contracts with a business associate to respond to HIPAA right of access requests.”
Regulators are making it clear that healthcare providers cannot afford to treat patient records as an afterthought. Access to medical information is not just a regulatory requirement but a fundamental patient right. Delays in providing records can disrupt treatment, create legal issues, and erode trust in the healthcare system. Increased enforcement actions reflect a growing expectation that organizations take compliance seriously. Relying on third-party vendors does not remove accountability, and failing to meet deadlines can lead to financial penalties and reputational damage.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA’s Right of Access regulations.
OCR assesses fines based on factors like the severity of the violation, the duration of noncompliance, and whether the provider took corrective action after being notified.
Patients can file a complaint with OCR if their healthcare provider fails to provide records within the required timeframe.
While this case pertains specifically to Right of Access violations, OHSU has previously faced HIPAA related enforcement actions, including past data breaches.
Providers should implement clear policies for record requests, regularly audit compliance, and ensure third-party vendors adhere to HIPAA requirements.