OCR Fines University of Cincinnati Medical Center $65,000 for Failure to Provide Patient’s Medical Records

The University of Cincinnati Medical Center (UCMC) has been fined $65,000 by the HHS’ Office for Civil Rights (OCR) for failing to provide a patient with timely access to her medical records.

The HIPAA Privacy Rule gives patients the right to request a copy of their medical records. When a request is received, the records must be provided within 30 days to the patient directly or, if specifically requested, to the patient’s nominated representative.

The HIPAA Right of Access is an important HIPAA provision as it allows patients to check their medical records, have errors corrected, and empowers patients to take charge of their healthcare. In the event of a disaster such as a ransomware attack, patients with a copy of their medical records will ensure they are always available to them.

In 2019, OCR launched a new enforcement initiative to ensure HIPAA covered entities and their business associates were fully complying with the HIPAA Right of Access. OCR investigates complaints from patients who claim not to have been provided with a copy of their medical records within 30 days of submitting a request and intervenes to ensure those records are provided.

Since the HIPAA Right of Access enforcement initiative was launched, 12 financial penalties have been issued to entities that have failed to provide timely access to medical records, at a reasonable cost, as required by the HIPAA Privacy Rule.

In May 2019, OCR received a complaint from a patient alleging UCMC had failed to respond to a request to have her medical records sent to her lawyer – her nominated representative. OCR investigated and found that more than 13 weeks after the request was sent to UCMC, the records had still not been provided. OCR intervened and the records were provided to the patient’s lawyer in August 2019, more than 5 months after the initial request had been sent.

OCR determined such a lengthy delay warranted a financial penalty. UCMC agreed to settle the case with no admission of liability, pay the financial penalty, and adopt a corrective action plan to ensure compliance with the HIPAA Right of Access. OCR will monitor UCMC for the next two years to ensure continued compliance.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director.