top of page

In this HIPAA Speed Trap, Slow Movers and No Movers Pay $

Updated: May 15

In two recent federal cases, long-term care providers faced fines in what has become a speed trap for those who ignore timelines for responding to medical records requests. 

In each case, the U.S. Office for Civil Rights (OCR) cited a failure to meet requirements for the timely release of records, following legitimate requests. Such lack of responsiveness defies years of federal government warnings that records requests must get prompt attention. The priority is so high that the OCR named it the “Right of Access Initiative.  

In one instance, in a violation announced in April, a New Jersey skilled nursing facility paid a $100,000 fine for flatly denying access to medical records. 

Days earlier, OCR reported on a multi-facility nursing care organization in Oklahoma, which took 323 days to release medical records to a patient’s daughter, who had authority as her mother’s personal representative. 

In the Oklahoma case, the OCR initially imposed a $250,000 fine.  But the provider contested that amount, and an administrative judge, while upholding OCR’s finding of willful neglect, ordered a civil penalty of $75,000. The provider appealed, and eventually OCR settled with a $35,000 fine.

Far beyond fines, the actual costs of this kind of infraction, including legal and consulting fees, and disruption of business, can climb into the hundreds of thousands quickly.

To avoid trouble, policies and procedures should be in place for promptly granting records requests.  Processes should be clearly communicated, and part of the workflow. 

Here are things to know to stay compliant:

  • Under the Health Insurance Portability and Accountability Act (HIPAA), providers have up to 30 days to provide access to requested medical records.  Exceptions apply, relating to psychotherapy notes or criminal proceedings. You can refer to this federal government webpage for more information on the exceptions. 

  • The Privacy Rule permits organizations to impose reasonable, cost-based fees. Fees may include copying costs, including supplies and labor, postage, and some costs associated with preparing requested summaries.

Unlike the threats of cybercrime, processes for records requests lie within the control of an organization.  This is an easy one: Work speedily to meet valid records requests from individuals you serve or their authorized representatives.  Keep in mind, the records are theirs for services paid.

About the author:

Diane Evans is founder of Guarded Edge, which offers training and services on the application of the Health Insurance Portability and Accountability Act (HIPAA) within long-term care.  Diane can be reached at  Readers may access a complementary Social Media Policy by visiting


bottom of page