In early March of 2025, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that it had imposed a $200,000 civil monetary penalty (CMP) against Oregon Health & Science University (OHSU), a public academic center and research university, in December of 2024. Why? Because OCR found that OHSU violated an individual’s right to timely access her medical records through a personal representative. Details of the right of access civil monetary penalty are provided below.
HHS Imposes $200,000 HIPAA Right of Access Civil Monetary Penalty: A Representative Case
HIPAA’s Privacy Rule contains an “Access of individuals to protected health information” provision, known as the “right of access standard,” with a clear command: Individuals have a right of access to inspect and obtain a copy of protected health information about themselves that is maintained in a designated record set. A provider must generally act on a request for access no later than 30 days after receipt of the request as follows. If the provider fails to do so, OCR may, upon receiving a complaint, investigate the noncompliance, and might impose a right of access civil monetary penalty on that provider.
OCR initiated an investigation of OHSU based on a right of access complaint filed in January 2021 from the individual’s personal representative – the second complaint OCR received on this matter. In September 2020, OCR resolved the first complaint (received in May 2020) when OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions. Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records until August 2021, which was nearly a year after OHSU received OCR’s September 2020 letter, and sixteen months after the first request for records in April 2019. OCR’s investigation found that OHSU failed to take timely action in response to the right of access requests.
Some of the reasons OHSU gave for not timely providing the records:
- One of the Complainant’s requests did not contain a date. (Requests are not required to contain the date on which they are made.)
- On November 22, 2019, the Complainant (personal representative) faxed a request to OHSU for access to the patient’s PHI. OCR found this to be a valid request, and OHSU later admitted that the request was valid, but erroneously denied due to the personal representative’s failure to pay the invoice for the records request.
OHSU also tried to excuse the violation by blaming its business associate, to whom OHSU had assigned the records request, for the tardiness. OCR, in imposing the penalty, noted that it is covered entities, not business associates, who are responsible for ensuring timely action in response to right of access requests. As the right of access standard notes, “The covered entity must act on a request for access no later than 30 days after receipt of the request.” (In addition, OCR found, OHSU did not even inform the business associate that OHSU received a technical assistance letter from OCR, dated September 2, 2020, encouraging OHSU to assess and determine whether there may have been any noncompliance as alleged by the Complainant in the May 2020 complaint, and to take any steps necessary to ensure such noncompliance did not occur in the future.)
In September of 2024, OCR issued a Notice of Proposed Determination seeking to impose a $200,000 civil monetary penalty. OHSU waived its right to a hearing and did not contest OCR’s imposition of the CMP. Accordingly, in December 2024, OCR finalized its determination and imposed the $200,000 civil monetary penalty against OHSU.
“The HIPAA Privacy Rule requires that individuals and their personal representatives receive timely access to their medical records,” said OCR Acting Director Anthony Archeval in a press release announcing the CMP. “A covered entity’s responsibility to provide timely access continues, even when a covered entity contracts with a business associate to respond to HIPAA right of access requests.”
The enforcement action culminating in the right of access civil monetary penalty being imposed against OHSU, constitutes the 53rd “right of access” enforcement action brought under the 2019 “Right of Access” enforcement initiative, announced then by OCR to strengthen compliance with the right of access standard.
HHS Imposes $200,000 HIPAA Right of Access Civil Monetary Penalty: Deja Vu All Over Again
OHSU has the distinction of being an OCR repeat customer. In 2016, OHSU entered into a settlement agreement with OCR for $2.7 million dollars, for this conduct:
- Disclosure of electronic protected health information (ePHI) From January 5, 2011, until July 3, 2013, in violation of the Privacy Rule, to a third-party ISP without obtaining a business associate agreement or other satisfactory assurance that the internet-based service provider would safeguard the ePHI
- From January 5, 2011, until July 3, 2013, OHSU failed to implement policies and procedures to prevent, detect, contain, and correct security violations.
- From 2010 through 2016, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise.
- From May 29, 2013, until July 3, 2013, OHSU failed to implement policies and procedures to address security incidents.
That settlement agreement contained a three-year corrective action plan.
