Per the notice below, the United States Office for Civil Rights (OCR) has taken another in its series of actions against health care providers under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for failing to provide patients their records when requested.

HHS Office for Civil Rights Imposes a $100,000 Penalty Against Mental Health Center for Failure to Provide Timely Access to Patient Records

The civil money penalty marks OCR’s 51^st HIPAA Right of Access enforcement action to advance patient access to medical records.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Rio Hondo Community Mental Health Center (“Rio Hondo”) in California.  The penalty resolves an investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee.  OCR enforces the HIPAA Privacy Rule, which establishes national standards to protect individuals’ medical records; sets limits and conditions on the uses and disclosures of protected health information; and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.

“Patients should never be in the position of needing to request their own medical records over and over again before getting access to them,” said OCR Director Melanie Fontes Rainer.  “Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority.  Healthcare providers are legally obligated to provide patients with timely access to their medical records.  If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”

OCR launched an investigation after receiving a complaint from a patient that they were not given timely access to their medical records, despite multiple requests in writing and by telephone.  OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them.  The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records.  Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule.  In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty.  Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination.  As a result of OCR’s investigation, the patient received their records in 2020.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/rio-hondo/notice-proposed-determination/index.html.  The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/rio-hondo/notice-final-determination/index.html.  OCR’s guidance on the HIPAA right of access is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.  OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.  Guidance about the Privacy Rule, Security Rule, and Breach Notification Rule can also be found on OCR’s website.  If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.