Per the notice below, the United States Office for Civil Rights (OCR) has taken action under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) against a health care provider for failing to provide a patient with timely access to patient records.

HHS Office for Civil Rights Settles HIPAA Case Against Memorial Healthcare System Over Patient Access to Records

This settlement marks the 52nd enforcement action in the OCR Right of Access Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with South Broward Hospital District d/b/a Memorial Healthcare System (Memorial Healthcare System), a Florida health system, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.  The settlement resolves litigation resulting from an investigation about a complaint alleging a lack of timely access to an individual’s protected health information (PHI).  The HIPAA Right of Access provisions require that individuals or their personal representatives receive timely access to their health information for a reasonable cost.  OCR’s investigation determined that Memorial Healthcare System failed to provide timely access within 30 calendar days.  Memorial Healthcare System has agreed to pay $60,000.  The agreement marks OCR’s 52nd Right of Access enforcement action.

“A patient’s right to timely access their own health information is well-established by the HIPAA Privacy Rule,” said OCR Director Melanie Fontes Rainer.  “Health care entities must be responsive to their patients’ requests for their medical records.  Patients should not have to file a complaint with OCR as a necessary step before receiving their records.”

OCR initiated an investigation after receiving a complaint from an individual that he was not given timely access to his medical records, despite multiple requests by mail, telephone, and Memorial Healthcare System’s patient portal, beginning on December 30, 2020.  The individual did not receive access to his medical records until approximately nine months later, after OCR initiated its investigation.  OCR found that Memorial Healthcare System failed to take timely action in response to the patient’s right of access requests in accordance with the HIPAA Privacy Rule.  In July 2024, OCR issued a Notice of Proposed Determination to propose imposing a civil monetary penalty, and Memorial Healthcare System subsequently requested a hearing before an Administrative Law Judge.  On December 13, 2024, Memorial Healthcare System agreed to a settlement agreement, including payment of $60,000, to resolve pending administrative litigation.  The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hitech-npd/index.html.  A copy of the Settlement Agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hitech-sa/index.html.  OCR’s guidance on the HIPAA right of access is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.  OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.  If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.