The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights, has announced a $200,000 civil monetary penalty against Oregon Health & Science University (OHSU) for failing to provide timely access to an individual’s medical records, as required under the HIPAA Privacy Rule. The violation occurred after the individual’s personal representative requested the records in April 2019, but OHSU did not fully provide them until August 2021, over two years later. The HIPAA Privacy Rule mandates that individuals or their personal representatives receive timely access to health information, typically within 30 days, with a possible 30-day extension.
OCR initiated its investigation following a complaint in January 2021, marking the second complaint received regarding this issue. OHSU had previously been notified in September 2020 about potential noncompliance after a similar complaint in May 2020. Despite this, the institution failed to comply with the rule. In response, OCR issued a Notice of Proposed Determination in September 2024, and OHSU waived its right to a hearing, leading to the final imposition of the $200,000 penalty in December 2024.
At Greenlight, we recognize that timely access to patient records is essential for effective care management and decision making, and this case highlights the critical need for prompt access to medical information. That’s why we are dedicated to providing our partners with a timely experience, ensuring they have reliable and nearly immediate access to medical records whenever and wherever they are needed.
Read the full article: https://www.hhs.gov/about/news/2025/03/06/hhs-office-civil-rights-imposes-200000-penalty-against-oregon-health-science-university-failure-provide-timely-access-patient-records.html