March 13, 2025

Oregon Health & Science University (OHSU), an academic research institution with public health centers, is the latest Covered Entity to be fined for a HIPAA Right of Access violation. 

Unfortunately, Right of Access fines are common, usually sparked by a patient complaint. OHSU’s violation was no different, with a patient waiting for records much longer than the 30-day federal requirement. 

This 53rd Right of Access rule enforcement showcases the critical importance of prioritizing patient requests. 

What Happened? 

A patient of OHSU required their medical records, and a medical representative requested records multiple times for years. 

The representative’s initial written request was on April 24, 2019. At first, OHSU quickly addressed this request, having a Business Associate provide medical records to the representative by April 29, 2019. However, these were partial records, not including all of the vital information the patient needed. 

The representative sent another request at the beginning of November 2019, which OHSU incorrectly denied due to a missing date. The representative submitted another request at the end of the month, which OHSU once again erroneously denied, this time for invoices. 

When OHSU again only provided partial records after the representative asked for the records in May 2020, the representative filed a complaint with the Office for Civil Rights (OCR). 

After another denial of medical records in July, the OCR closed the case in September, providing OHSU technical assistance to properly send medical records. 

However, the records were still not provided as of January 2021, when the representative submitted a second complaint to the OCR. 

The OCR notified the university on August 21, 2021. Within the week, OHSU provided the representative with medical records. All medical records were sent to the representative by the end of September. 

Over two years had passed from the first request in April 2019 to finally receiving the records in late 2021. 

This request’s drawn-out, back-and-forth nature resulted in OHSU being fined a $200,000 Civil Monetary Penalty. 

Prioritize Patient Requests

Almost half a million patient complaints have been received from the OCR. By prioritizing patient requests for records, your practice can avoid potential investigations, fines, and in general, unhappy patients. 

When working in healthcare, your goal is to provide the best care for patients. Ignoring patients’ needs will leave them unhappy and dissatisfied, seriously impacting the overall quality of care your practice can provide.

Intelligent compliance software solutions allow your practice to proactively identify and address vulnerabilities while educating staff on essential compliance requirements. 

By streamlining compliance, your staff can be well aware of the importance of prioritizing patient requests, leading to a more successful practice with higher patient satisfaction.

To learn more about simplifying compliance, schedule a consultation with a compliance expert.