The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued the second financial penalty for 2025 to settle a HIPAA Rules violation. Oregon Health & Science University (OHSU) was required to pay a civil monetary penalty of $200,000 for not providing prompt access to a patient’s complete health information.
The HIPAA Privacy Rule gives people the right to access their healthcare information, particularly getting a copy of their medical records. When requested, a HIPAA-covered entity has 30 days from the date of receiving the request to give those records. A 30-day extension may be allowed in some instances. When a person requests an easily producible electronic copy of their data, they should be given electronically in the requested format. HIPAA-covered entities can bill individuals for that information, but could only ask for an acceptable, cost-based price. At the end of 2019, OCR released a new enforcement initiative focusing on HIPAA Right of Access non-compliance. Over 50 investigations have led to negotiations or civil monetary penalties.
In this instance, OCR investigated after receiving a complaint from a patient’s representative in January 2021. Allegedly, she did not get a complete set of the patient’s information. On April 24, 2019, the preliminary request for that information was faxed to OHSU. Through Diversified Business Services Inc., its vendor, some of the requested data were given five days after April 29, 2019. On November 12, 2019, OHSU received another request, but it was mistakenly denied because the request lacked the date. The complainant was advised about the denial on November 21, 2019.
OHSU received another request on November 22, 2019, but it was rejected because of the complainant’s inability to pay for the record request invoice. Part of the data was provided by OHSU in December 2019. On May 20, 2020, OHSU received another request. On May 29, 2020, OHSU provided partial records. The personal spokesperson likewise sent a complaint to OCR on May 20, 2020. Still, no requested records were received. OHSU received another request on July 24, 2020, for a copy of the person’s complete records, nevertheless, that request was mistakenly rejected.
OCR stopped receiving a complaint on September 2, 2020, after it gave OHSU technical support on HIPAA Right of Access compliance. A second complaint was submitted to OCR by the personal representative on January 27, 2021 because no complete copy of the records was provided. OCR informed OHSU on August 12, 2021 regarding the second complaint. After that, the complainant received the records from OHSU on August 26, 2021, plus some extra data was given on September 29, 2021.
Before the requested records were made available, 16 months had passed since the initial request and OCR made interventions twice. OHSU had the chance to resolve the supposed HIPAA Right of Access violation in private, but OHSU did not do so. Hence, OCR imposed a civil monetary penalty. A HIPAA-covered entity is responsible for giving prompt data access, even if a covered entity has a business associate to answer HIPAA’s right of access requests.
This is OCR’s second HIPAA penalty enforced under the Trump administration. In January, Warby Parker Inc. paid a $1.5 million civil monetary penalty to resolve multiple HIPAA Security Rule violations.