Key Takeaways
- OCR continues to enforce scenarios where hospitals fail to provide timely access to protected health information (PHI), imposing a $200,000 civil monetary penalty (CMP).
- HIPAA-regulated entities may be held responsible for the actions of their business associates if business associates do not comply with patients’ and/or their personal representatives’ requests for timely access to PHI.
On March 6, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an enforcement action against Oregon Health & Science University (OHSU) for alleged violations of the HIPAA Privacy Rule. Specifically, OHSU failed to provide an individual’s personal representative with timely access to the individual’s PHI.
Background on HIPAA Right of Access Initiative
The HIPAA Privacy Rule sets standards to protect individuals’ health information, establishes parameters and conditions on the uses and disclosures of PHI, and grants certain rights to individuals and/or their personal representatives, including the right to access and obtain a copy of PHI maintained in a designated record set. A covered entity is required to provide access within 30 days of receiving a request from an individual or their personal representative, subject to one 30-day extension in certain circumstances. Since the launch of the Right of Access Initiative in 2019, OCR has focused a subset of its enforcement efforts on the provision of access to PHI in a timely manner and at a reasonable cost. The Right of Access Initiative remains an active enforcement area; this is the second Right of Access enforcement initiative issued in 2025, and 53rd overall.
Enforcement Action against OHSU
OCR imposed a $200,000 CMP against OHSU, a public academic health center and research university, for its failure to provide a patient’s personal representative with timely access to the patient’s records.
After receiving services at OHSU, the patient’s personal representative requested access to the patient’s records on April 24, 2019. On April 29, 2019, OHSU’s business associate provided a portion of the requested records. In November 2019, the patient’s attorney requested the patient’s records from OHSU twice and received two denials from OHSU’s business associate based on the lack of a date and the failure to pay the invoice for the records request. After follow-up requests in November 2019 and May 2020, OHSU provided another incomplete set of the patient’s records on May 29, 2020.
The patient’s attorney submitted a complaint to OCR on May 20, 2020. OCR provided technical assistance to OHSU regarding OHSU’s obligations under HIPAA’s Right of Access provision and closed the complaint on September 2, 2020, advising OHSU to evaluate whether there may have been any HIPAA noncompliance related to the access requests and to take necessary steps to prevent any future noncompliance.
On January 27, 2021, the patient’s attorney filed a second complaint with OCR alleging that the patient still had not received a copy of her medical records from OHSU. OCR provided OHSU with notice of the second complaint on August 12, 2021. Following this notice, OHSU provided all requested medical records to the patient.
On July 24, 2023, OCR issued a Letter of Opportunity (LOO) notifying OHSU that OCR had found indications of noncompliance with HIPAA and offered OHSU an opportunity to submit written evidence of any mitigating factors or affirmative defenses. OHSU provided a written response; however, OCR determined that the response did not provide a basis for an affirmative defense. OCR found that its technical assistance letter provided to OHSU in relation to the first complaint provided OHSU with enough information to put it on notice of its potential noncompliance with HIPAA. OHSU did not correct the potential noncompliance within 30 days of receipt of the letter (requested medical records were provided 329 days after receipt of the letter). Further, OHSU attempted to shift responsibility to its business associate. This was not a sufficient affirmative defense because under the Privacy Rule, covered entities, not business associates, are responsible for ensuring timely action in response to right of access requests.
OCR issued a Notice of Proposed Determination seeking to impose a $200,000 CMP against OHSU. While entities have the right to a hearing before an administrative law judge to challenge proposed determinations, OHSU failed to request a hearing within ninety (90) days of receipt of the Notice of Proposed Determination. Therefore, the Notice of Proposed Determination became final on December 13, 2024.
Lessons learned
OCR continues to prioritize its ongoing Right of Access Initiative. While Right of Access enforcement actions often involve financial settlements and corrective actions plans, the OHSU matter is an example of a covered entity seemingly agreeing to pay a CMP, possibly to avoid what can be the costly and time-intensive process of negotiating a settlement with OCR and complying with the requirements of an often multi-year corrective action plan.
Covered entities and business associates should take seriously any initial communications with OCR, including technical assistance letters, and correct any potential noncompliance noted by OCR to possibly avoid CMPs or other enforcement. Covered entities also should ensure that their administrative and support staff are properly trained on how to timely respond to requests for records from patients or their personal representatives, even when contracting with a business associate to respond to record requests. Covered entities have the responsibility under HIPAA to provide timely access regardless of whether they have contracted with a business associate, but covered entities should emphasize these requirements to business associates when entering into business associate agreements and throughout the course of the relationship with such business associates.
For more information on the content of this alert, please contact your Nixon Peabody attorney or the authors of this article.