On March 6, 2025, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $200,000 civil monetary penalty against a public academic health center and research university for violating an individual’s right to timely access her medical records through a personal representative.
OCR began its investigation based on a complaint filed in January 2021 by the individual’s personal representative, which was the second complaint received on the matter. The first complaint, filed in May 2020, was resolved in September 2020 when OCR notified the health center of potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s “Right of Access” provisions.
The health center provided part of the requested records in April 2019, but did not provide the full set of records until August 2021, nearly a year after OCR’s September 2020 letter and sixteen months after the initial request in April 2019. OCR’s investigation found that the health center did not act in a timely manner in response to the right of access requests.
In September 2024, OCR issued a Notice of Proposed Determination to impose the $200,000 civil monetary penalty. The health center waived its right to a hearing and did not contest the penalty. OCR finalized the penalty in December 2024.
“The HIPAA Privacy Rule requires that individuals and their personal representatives receive timely access to their medical records,” said OCR Acting Director Anthony Archeval. “A covered entity’s responsibility to provide timely access continues, even when a covered entity contracts with a business associate to respond to HIPAA right of access requests.”
Compliance Perspective
Issue
The HIPAA Privacy Rule’s “Right of Access” provisions require that individuals or their personal representatives have timely access to health information requested from a HIPAA-covered entity (health plans and most healthcare providers) within 30 days, with the possibility of one 30-day extension and for a reasonable, cost-based fee.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s Right of Access provisions. Ensure policies are up-to-date and specifically cover the requirements for timely access to health records and the handling of requests for copies of records.
- Train staff on the HIPAA Privacy Rule, at a minimum upon hire, annually, and whenever updates or issues arise. Ensure that those responsible for processing record release requests are knowledgeable about the right of access provision, including the importance of timely responses to requests.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Use audit results to identify areas of improvement and report findings to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*