• (888) 849-6818
  • 9 AM to 5 PM Eastern Monday - Friday
  • Global Data Systems Inc. 33 Riverside Drive Pembroke, MA 02359

Are There Penalties If I Can’t Provide A Patient with their Medical Record?


Providing patients with timely access to their medical records is part of HIPAA guidelines. Therefore, not providing access would be a violation of the HIPAA Privacy Rule.

Although there are certain exceptions, 45 C.F.R. section 164.524 generally requires that a covered entity provide a patient with a copy of his/her medical records within 30 days, and no later than 60 days, of the patient’s request.

In 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $4.3 million civil monetary penalty against Cignet Health (Cignet), a covered entity, for violating the HIPAA Privacy Rule. The $4.3 million civil monetary penalties was triggered by Cignet’s failure to provide access to the medical records of 41 patients, as well as its failure to adequately cooperate with OCR’s investigation.

Covered entities should examine their current HIPAA policies and practices — including their compliance program provisions for responding to requests for access to medical records. It’s important to verify that the entity’s operations are up-to-date with the recent legal changes.

While the penalties in 2011 were pretty big, HIPAA was sending a clear message: HHS OCR is serious about enforcing HIPAA violations.

Yes! You can be financially penalized if you are unable to provide medical records to present or past patients.


If you own or manage a medical facility, then situations will arise where you question releasing medical records to patients. In most cases, records are withheld because the patient may owe an outstanding balance. Some facilities have decided to hold them for other reasons as well. If you have withheld medical records from a patient in the past or are considering that practice, investigate the penalties for that practice, as HIPAA regulations define them.

What Does HIPAA Say About Releasing Medical Records?

According to HIPAA, “The HIPAA Privacy Rule grants patients or their personal representatives the right to receive, inspect and review their health information, including medical and bill records, on demand.” Medical facilities have 30 days to gather and provide the records to the requesting patient or other representative requesting this documentation. Should 30 days not provide enough time to gather the requested information, before the end of that initial time frame, the patient or entity must be provided an explanation, and a final 30 days will be granted for delivery. These records can be delivered via mail or electronic format.

What Are The Penalties?

Penalties for not proving these records are often monetary fines. These fines are applied when patients are not allowed access to their records in a timely manner. The fines are applied based upon the length of time passed between the original request and delivery of medical records or if the records were received at all. Also, these fines are based upon the number of patient records that were delayed or not received. When a particular entity requests a large number of medical records, these fines can add up quickly and become steep for a medical facility.

One of the largest penalties applied for not producing patient records includes the civil money penalty placed on Cignet Health by The U.S. Department of Health and Human Services (HHS) and The Office of Civil Rights (OCR) due to records not being released in the appropriate time frame. Cignet Health failed to produce requested records to 41 individual patients. Cignet was also notified by OCR after these patients filed complaints, and Cignet remained incompliant. These actions resulted in a significant fine. Because of this, they were fined approximately $4.3 million dollars, sending a loud and clear message that the HIPAA privacy rule is strictly enforced. Both the OCR and HHS found that medical facilities found not complying with either them or the patients would be held accountable.

Is Your Medical Facility Complying With HIPAA Regulations?

If your facility has failed to provide requested medical records, it is essential that your office begin rectifying this situation immediately. If there are any posted notifications or practices that you are considering that will not release medical records to patients, remove them at your earliest convenience. Any entity covered with HIPAA is accountable for the privacy rule and able to receive such fines for these practices. For some medical facilities, these fines can do significant financial damage and reputation damage. Moving forward in your medical facility, ensure that your office staff understands the importance of HIPAA compliance and complies within the required time frame to prevent penalties to your facility.

GDS works with Local Hospitals, Covered Entities and Business Associates Across the United States.

Connect with GDS for your complimentary IT costs analysis and technology consultation.

Fill out the form below.

Note: GDS is one the top IT companies in New England and we will never SPAM you. Your information is safe with us.

Contact Info

Have A Healthcare Technology Question?
Reach Out To The GDS Healthcare IT Consulting Team.