Privacy & Information Security Law Blog

On March 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $200,000 civil monetary penalty against Oregon Health & Science University (“OHSU”), a public academic health center and research university, for allegedly violating the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule’s right of access provisions.

The HIPAA Privacy Rule requires covered entities to provide individuals or their personal representatives with access to their protected health information upon request within 30 days, with the possibility of one 30-day extension. In May 2020, OCR received a complaint regarding an individual who did not receive their requested records after their personal representative made an access request to OHSU on the individual’s behalf in April 2019. OCR resolved the complaint after notifying OHSU of its potential noncompliance with the Privacy Rule’s right of access provisions. OCR then initiated an investigation of OHSU based on a second complaint with respect to the same individual filed in January 2021.

Although OHSU provided part of the requested records in April 2019, OCR alleged that the university did not provide all of the requested records until August 2021. OCR’s investigation determined that OHSU failed to take timely action in response to the individual’s right of access requests, and subsequently imposed a $200,000 civil monetary penalty against OHSU.