HIPAA established a fundamental right for individuals to access their health information. Right of Access, promoted within the HIPAA Privacy Rule, mandates that individuals or their personal representatives can inspect and obtain a copy of their protected health information (PHI) from HIPAA covered entities promptly. The provision is not only a requirement; it also serves as a basis for patient empowerment, enabling individuals to better understand their health, make informed decisions about their care, and effectively coordinate with healthcare providers.
Timely access has many benefits, including empowering individuals. Professor of Law Barbara J. Evans states in her published article in The American Journal of Human Genetics, “Empowered by access to their data, people with rare variants of unknown significance can and do use social media to locate others with that same variant and assemble cohorts to help researchers clarify its significance. They can petition Congress to dedicate more resources to study their variant of interest. Blocking people’s access to their genomic data has the potential to deprive them of these and other constitutional rights.”
However, the obligation of covered entities to provide this access is not without its challenges, and failure to do so can result in significant repercussions. A recent enforcement action by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) against Oregon Health & Science University (OHSU) serves as a stark reminder of the importance of adhering to the timeliness requirements of the HIPAA Right of Access and the potential penalties for non-compliance.
The HIPAA Privacy Rule’s Right of Access provision (45 CFR § 164.524) requires covered entities (health plans and most healthcare providers) to provide individuals or their personal representatives with access to their requested health information within 30 days of the request. Recognizing that complexities can arise, the rule allows for a single extension of up to 30 additional days, but this should be the exception rather than the norm and must be properly documented. Furthermore, covered entities are permitted to charge a reasonable, cost-based fee for providing copies of the records.
It is necessary to understand that the Right of Access encompasses more than just handing over documents. It includes the right to inspect the information, to receive a copy in the format requested (if readily producible), and to have the information directed to a third party. The emphasis on "timely" access shows that this right is intended to be meaningful and to support individuals in their healthcare journey without delay.
The recent OCR enforcement action against OHSU, resulting in a $200,000 civil monetary penalty, illustrates the consequences of failing to provide timely access to patient records. The case originated from a complaint filed in January 2021 by an individual’s personal representative, which was actually the second complaint OCR had received regarding this matter.
The timeline reveals a significant delay in OHSU’s response. The initial request for records was made in April 2019. While OHSU provided a portion of the requested records in April 2019, the remaining records were not furnished until August 2021 – a full sixteen months after the initial request. The delay persisted even after OCR had notified OHSU of its potential noncompliance in September 2020, following the first complaint received in May 2020.
The OCR’s investigation concluded that OHSU failed to take timely action in response to the Right of Access requests. Notably, the OCR Acting Director, Anthony Archeval, emphasized that a covered entity’s responsibility to provide timely access continues, even when the entity contracts with a business associate to respond to these requests. Outsourcing a task does not exempt the covered entity of its legal obligation to ensure timely fulfillment.
In September 2024, OCR issued a Notice of Proposed Determination seeking the $200,000 penalty. OHSU ultimately waived its right to a hearing and did not contest the penalty, which was finalized in December 2024.
The OCR's commitment to enforcing the HIPAA Right of Access is further demonstrated by a settlement agreement reached with South Broward Hospital District d/b/a Memorial Healthcare System (MHS) in December 2024. This case did not result in a civil monetary penalty initially proposed but indicates the seriousness with which the OCR views delays in providing patient access to their medical records.
The OCR initiated an investigation following a complaint received in June 2021. The complaint alleged that a patient ("Complainant") had requested specific medical records, an EEG tracing, from MHS on April 26, 2021, and had not received them by the time of the complaint.
OCR's investigation revealed that the Complainant had made multiple requests for the same records. The initial request was submitted via MHS's patient portal on December 30, 2020. This was followed by another request through the patient portal on April 25, 2021, and a mailed request on April 26, 2021. A follow-up request was also made via the patient portal on May 23, 2021. Despite these multiple attempts spanning several months, the Complainant did not receive the requested EEG tracing until September 29, 2021, which occurred only after the OCR had initiated its investigation. Notably, MHS had provided the Complainant with the same records on a prior occasion, indicating their ability to fulfill the request. However, they failed to respond to the December 30, 2020 request and subsequent follow-ups in a timely manner.
In November 2022, OCR notified MHS of preliminary findings of noncompliance with the Privacy Rule’s right of access standard, which requires action on a request within 30 days of receipt. OCR initially proposed a civil monetary penalty of $100,000 in July 2024 for this failure. However, MHS requested a hearing to contest the penalty. Ultimately, to resolve the case before a hearing, MHS entered into a settlement agreement with OCR, agreeing to pay $60,000.
This settlement, while lower than the initially proposed penalty, still demonstrates the OCR’s firm stance on ensuring timely patient access to their health information. The repeated requests from the patient and the significant delay in providing the records, even for information previously provided, prove the importance of having efficient and responsive systems in place to handle Right of Access requests.
While avoiding financial penalties is a clear incentive for compliance, the importance of timely access to medical records extends far beyond regulatory obligations. Providing individuals with prompt access to their health information offers numerous benefits for patient care and empowerment:
According to Barbara J. Evans, when individuals have access to their medical records, it helps society as a whole because it enables them to make informed decisions about participating in research studies.
Despite the clear mandate, healthcare organizations can encounter various challenges in fulfilling Right of Access requests in a timely manner. Some of these challenges may include:
To navigate these challenges and ensure they meet their obligations under the HIPAA Right of Access, healthcare organizations should consider implementing the following best practices:
In limited circumstances, a provider can deny access. These include situations where the request could endanger the patient or others, if the records pertain to ongoing litigation, or if the information was obtained from a confidential source. However, denials must be documented and are subject to review.
Organizations must verify the legal authority of the individual making the request. If the legal documentation confirms their authority to act as the patient's personal representative, they should be granted access to the patient's PHI, consistent with the Right of Access.
Patients can file a complaint with the HHS OCR if they believe their right to access their medical records has been violated.