Oregon Health & Science University Pays $200,000 Penalty for HIPAA Right of Access Failure
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed its second financial penalty of the year to resolve a violation of the HIPAA Rules. Oregon Health & Science University (OHSU) has been ordered to pay a $200,000 civil monetary penalty for failing to provide timely access to a patient’s full medical records.
The HIPAA Privacy Rule gives individuals rights over their healthcare data, one of which is the right of an individual to obtain a copy of their health records. If requested, a HIPAA-regulated entity must provide those records within 30 days of the request being received, although there is a possibility of a 30-day extension in certain circumstances. If an individual requests an electronic copy of their records, they must be provided electronically if they are readily producible in the requested format. HIPAA-regulated entities are permitted to charge individuals for providing those records, but may only charge a reasonable, cost-based fee. In late 2019, OCR launched a new enforcement initiative targeting non-compliance with the HIPAA Right of Access and more than 50 investigations have resulted in settlements or civil monetary penalties.
In this case, an investigation was initiated by OCR in response to a complaint from the personal representative of a patient in January 2021 who had not been provided with a complete set of the patient’s records. The initial request for those records was faxed to OHSU on April 24, 2019. Via its vendor, Diversified Business Services Inc., some of the requested records were provided five days later on April 29, 2019. A second request was sent to OHSU on November 12, 2019; however, the request was erroneously denied due to the lack of a date on the request. The complainant was informed of the denial on November 21, 2019.
A further request was sent to OHSU on November 22, 2019; however, the request was also denied, this time due to the complainant’s failure to pay the invoice for the record request. Partial records were provided by OHSU in December 2019. Another request was sent to OHSU on May 20, 2020, and on May 29, 2020, partial records were provided. The personal representative also filed a complaint with OCR on May 20, 2020, after still not having been provided with all of the requested records. Another request was sent to OHSU on July 24, 2020, for a copy of the individual’s full records, however, that request was erroneously denied.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR closed the complaint on September 2, 2020, after providing OHSU with technical assistance on HIPAA Right of Access compliance. The personal representative filed a second complaint with OCR on January 27, 2021, as a complete copy of the requested records had still not been provided. OCR notified OHSU about the second complaint on August 12, 2021, and the complete records were provided by OHSU on August 26, 2021, with additional records provided on September 29, 2021.
It took 16 months from the initial request and two interventions from OCR before all of the requested records were provided. OHSU was offered the opportunity to settle the alleged HIPAA Right of Access violation informally; however, OHSU chose not to do so and a civil monetary penalty was imposed. “The HIPAA Privacy Rule requires that individuals and their personal representatives receive timely access to their medical records,” said OCR Acting Director Anthony Archeval. “A covered entity’s responsibility to provide timely access continues, even when a covered entity contracts with a business associate to respond to HIPAA right of access requests.”
This is the second HIPAA penalty to be imposed by OCR under the Trump administration. Last month, OCR imposed a $1.5 million civil monetary penalty on Warby Parker Inc. which resolved multiple violations of the HIPAA Security Rule.
