“Right to Access” requires health plans and healthcare providers to provide access to health information within 20 days, with the possibility of a 30-day extension, according to a March 6 news release from HHS.
In April 2019, an individual’s personal representative requested records from OHSU, which only provided part of requested information that month.
In May 2020 and January 2021, that individual’s personal representative filed two complaints with the HHS Office for Civil Rights concerning OHSU’s alleged noncompliance with the Privacy Rule Right to Access. After the agency investigated the matter, the university provided the full requested records in August 2021.
In September 2024, HHS issued a notice about the $200,000 fine, and OHSU waived its right to a hearing and did not contest the penalty.
An OHSU spokesperson told Becker’s the organization “respects the Office for Civil Rights’ responsibility to enforce the act; however, we do not agree with OCR’s findings.”
“Regrettably, the OCR elected to pursue sanctions against OHSU rather than exercise its power to hold the vendor, or business associate, directly liable,” the spokesperson said. “While we acknowledge our own responsibilities to patients under HIPAA, we remain frustrated by the mischaracterization of facts contained in OCR’s published notice.”
