OCR Imposes $200,000 Civil Money Penalty Against HIPAA-Covered Entity | Saul Ewing LLP

On March 6, 2025, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a civil money penalty (“CMP”) of $200,000 against Oregon Health & Science University (“OHSU”) for failing to provide a patient’s personal representative with timely access to medical records. This penalty is part of OCR’s ongoing efforts to advance patient access to medical records under the HIPAA Right of Access Initiative.

What You Need to Know:

• Patients are entitled to timely access to copies of their medical records under HIPAA.
• OCR was active during the Biden Administration related to the Right of Access Initiative; it is not yet clear if the Trump Administration will continue to pursue the Right of Access Initiative.
• HIPAA-covered entities should review their policies and procedures to confirm processes to ensure timely access for individuals to copies of their medical records.

The HHS OCR Right of Access Initiative requires that individuals or their personal representatives be given timely access (within 30 days, with the possibility of one 30-day extension) for a reasonable cost-based fee to their protected health information. This is the 53rd Right of Access enforcement action imposed by OCR. We have previously written about the OCR Right of Access Initiative, including here, here and here.

OHSU is a public academic health center and research university located in Portland, Oregon. OCR’s investigation of OHSU began after a complaint was filed in January 2021 by a personal representative; this was the second such complaint filed against OHSU. OCR had already notified OHSU of potential noncompliance in September 2020. OHSU had provided part of the requested medical records in April 2019, but the remainder of the requested records were not provided until August 2021, more than a year after OCR’s letter and sixteen (16) months after the representative’s initial request.

One of the interesting facts in the notice of proposed determination is that OHSU relied upon its business associate to process and fulfill the request for medical records. The notice of proposed determination explained the factors HHS OCR considered in determining the amount of the civil monetary penalty and the merits of OHSU’s affirmative defenses.

OCR found that OHSU failed to take timely action to provide the complete set of records. In September 2024, OCR issued a notice of proposed determination for a $200,000 civil money penalty, which OHSU did not contest. As a result, in December 2024, during the final days of the Biden Administration, the civil money penalty was finalized.

A copy of the notice of final determination can be found here [Oregon Health & Science University OCR Transaction Number: 21-411469 – Notice of Final Determination].

During the Biden Administration, OCR was aggressive in enforcing individuals’ interests pursuant to the Right of Access Initiative. 

The Trump Administration has not yet announced any settlements with respect to the Right of Access Initiative or imposed any CMPs related to HIPAA.

HIPAA and its regulations remain federal law. Accordingly, HIPAA-covered entities should ensure that their policies and procedures provide for timely access to medical records when requested by an individual and that there is an internal mechanism to ensure compliance, either directly by a covered entity or a business associate acting on its behalf. Providing a timely reply to a request for records from an individual is much easier and more cost effective than engaging with OCR for an extended period of time, incurring legal fees, and potentially facing an expensive OCR settlement or the imposition of a civil money penalty.