Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR continues HIPAA Right of Access with CMP

      Articles

    Article

    OCR continues HIPAA Right of Access with CMP

    March 13, 2025

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague, Meredith LaMaster and Grace Connelly

    OCR’s 53rd Right of Access Initiative enforcement action reminds hospitals to provide timely access to requests for medical records, even when such requests are delegated to business associates.

    Key Takeaways

    • OCR continues to enforce scenarios where hospitals fail to provide timely access to protected health information (PHI), imposing a $200,000 civil monetary penalty (CMP).
    • HIPAA-regulated entities may be held responsible for the actions of their business associates if business associates do not comply with patients’ and/or their personal representatives’ requests for timely access to PHI.

    On March 6, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an enforcement action against Oregon Health & Science University (OHSU) for alleged violations of the HIPAA Privacy Rule. Specifically, OHSU failed to provide an individual’s personal representative with timely access to the individual’s PHI.

    Background on HIPAA Right of Access Initiative

    The HIPAA Privacy Rule sets standards to protect individuals’ health information, establishes parameters and conditions on the uses and disclosures of PHI, and grants certain rights to individuals and/or their personal representatives, including the right to access and obtain a copy of PHI maintained in a designated record set. A covered entity is required to provide access within 30 days of receiving a request from an individual or their personal representative, subject to one 30-day extension in certain circumstances. Since the launch of the Right of Access Initiative in 2019, OCR has focused a subset of its enforcement efforts on the provision of access to PHI in a timely manner and at a reasonable cost. The Right of Access Initiative remains an active enforcement area; this is the second Right of Access enforcement initiative issued in 2025, and 53rd overall.

    Enforcement Action against OHSU

    OCR imposed a $200,000 CMP against OHSU, a public academic health center and research university, for its failure to provide a patient’s personal representative with timely access to the patient’s records.

    After receiving services at OHSU, the patient’s personal representative requested access to the patient’s records on April 24, 2019. On April 29, 2019, OHSU’s business associate provided a portion of the requested records. In November 2019, the patient’s attorney requested the patient’s records from OHSU twice and received two denials from OHSU’s business associate based on the lack of a date and the failure to pay the invoice for the records request. After follow-up requests in November 2019 and May 2020, OHSU provided another incomplete set of the patient’s records on May 29, 2020.

    The patient’s attorney submitted a complaint to OCR on May 20, 2020. OCR provided technical assistance to OHSU regarding OHSU’s obligations under HIPAA’s Right of Access provision and closed the complaint on September 2, 2020, advising OHSU to evaluate whether there may have been any HIPAA noncompliance related to the access requests and to take necessary steps to prevent any future noncompliance.

    On January 27, 2021, the patient’s attorney filed a second complaint with OCR alleging that the patient still had not received a copy of her medical records from OHSU. OCR provided OHSU with notice of the second complaint on August 12, 2021. Following this notice, OHSU provided all requested medical records to the patient.

    On July 24, 2023, OCR issued a Letter of Opportunity (LOO) notifying OHSU that OCR had found indications of noncompliance with HIPAA and offered OHSU an opportunity to submit written evidence of any mitigating factors or affirmative defenses. OHSU provided a written response; however, OCR determined that the response did not provide a basis for an affirmative defense. OCR found that its technical assistance letter provided to OHSU in relation to the first complaint provided OHSU with enough information to put it on notice of its potential noncompliance with HIPAA. OHSU did not correct the potential noncompliance within 30 days of receipt of the letter (requested medical records were provided 329 days after receipt of the letter). Further, OHSU attempted to shift responsibility to its business associate. This was not a sufficient affirmative defense because under the Privacy Rule, covered entities, not business associates, are responsible for ensuring timely action in response to right of access requests.

    OCR issued a Notice of Proposed Determination seeking to impose a $200,000 CMP against OHSU. While entities have the right to a hearing before an administrative law judge to challenge proposed determinations, OHSU failed to request a hearing within ninety (90) days of receipt of the Notice of Proposed Determination. Therefore, the Notice of Proposed Determination became final on December 13, 2024.

    Lessons learned

    OCR continues to prioritize its ongoing Right of Access Initiative. While Right of Access enforcement actions often involve financial settlements and corrective actions plans, the OHSU matter is an example of a covered entity seemingly agreeing to pay a CMP, possibly to avoid what can be the costly and time-intensive process of negotiating a settlement with OCR and complying with the requirements of an often multi-year corrective action plan.

    Covered entities and business associates should take seriously any initial communications with OCR, including technical assistance letters, and correct any potential noncompliance noted by OCR to possibly avoid CMPs or other enforcement. Covered entities also should ensure that their administrative and support staff are properly trained on how to timely respond to requests for records from patients or their personal representatives, even when contracting with a business associate to respond to record requests. Covered entities have the responsibility under HIPAA to provide timely access regardless of whether they have contracted with a business associate, but covered entities should emphasize these requirements to business associates when entering into business associate agreements and throughout the course of the relationship with such business associates.

    For more information on the content of this alert, please contact your Nixon Peabody attorney or the authors of this article.

    OCR Action

    Locations

    Chicago

    Practices

    HealthcareHealthcare Regulatory & ComplianceHealth Information - Privacy, Security & Data Sharing

    Industries

    Healthcare

    Insights And Happenings

    • Alert

      Proposed California legislation expands scrutiny of health care transactions

      March 25, 2025
    • Alert

      Latest executive order signals increased healthcare price transparency enforcement

      Feb 28, 2025
    • Alert

      Connecticut seeks increased oversight of healthcare entity transactions

      Feb 21, 2025
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved