Access Rights
Can a Patient Request Their Medical Records After a Data Breach?
Patients can request their medical records after a data breach—but most don't know where to start, who's responsible, or when to file an OCR complaint.
Patients can request their medical records after a breach—but knowing what to do next and who's actually responsible is where most people get stuck.
This article is for patients whose protected health information may have been exposed and for the healthcare providers and vendors who owe them answers.
What You Need to Know
- OCR reported to Congress on HIPAA compliance failures and data breaches occurring across the healthcare sector in 2024.
- Mission Community Hospital agreed to pay $1.55 million to settle a data breach lawsuit.
- Datavant Group agreed to pay $900,000 to settle a class action data breach lawsuit.
- Patients have enforceable rights under HIPAA—but exercising them requires knowing where to start.
When a hospital or health data company experiences a breach, affected patients are rarely the first to know. OCR's 2024 report to Congress documented the scope of HIPAA compliance failures and data breaches across the reporting period. Two settlements—Mission Community Hospital at $1.55 million and Datavant Group at $900,000—illustrate how that exposure eventually reaches patients and the courts.
The Gap
HIPAA gives patients a clear right to access their own medical records. That right doesn't pause during or after a breach. In fact, a breach is one of the more important moments to exercise it.
The problem isn't whether the right exists. It's that most patients don't know what to request, who to send it to, or what to do if the response is inadequate. Covered entities—hospitals, clinics, and health systems—are required to provide access to records, respond to complaints, and, in breach situations, notify affected individuals. When those obligations aren't met, patients have a path to OCR.
What the Mission Community Hospital and Datavant settlements demonstrate is that litigation is also on the table. Class action suits have become a visible part of the enforcement landscape when institutional failures affect large numbers of people. The $900,000 Datavant settlement involved a health data company rather than a direct care provider—a reminder that patient data moves through vendor relationships, and exposure doesn't stay inside the hospital walls.
Datavant operates in the health data connectivity space, which means its relationships extend across providers, researchers, payers, and analytics platforms. When a vendor at that layer of the data supply chain experiences a breach, identifying who holds your data—and in what form—becomes genuinely complicated for an individual patient.
What to Do
- Request your records from the covered entity directly. Under HIPAA, you have the right to request access to your protected health information from any covered entity that holds it. Submit the request in writing, keep a copy, and note the date. Covered entities are required to respond. If you don't know which entities hold your data, start with your primary care provider and any specialists you've seen recently.
- File a complaint with OCR if you're denied or ignored. If a covered entity fails to provide your records, fails to notify you of a breach that affected you, or otherwise violates your HIPAA rights, you can file a complaint directly with HHS OCR. OCR investigates complaints and has enforcement authority. The complaint process is free and does not require an attorney.
- Monitor your explanation of benefits and any health-related accounts. After a breach involving medical data, watch for unfamiliar claims, services you didn't receive, or changes to your health insurance information. Medical identity theft can follow a health data breach and may not surface immediately.
- Assess whether you're part of a class action. Both the Mission Community Hospital and Datavant settlements arose from class action lawsuits. If you received a breach notification letter from either organization or from any entity that experienced a breach, preserve that letter. It may be relevant to existing or future litigation. Consult an attorney if you believe your data was involved and you haven't received formal notice.
- Ask the covered entity what data was involved. Breach notification letters are required to include information about what types of data were affected. If you received a letter and it's unclear, you're entitled to follow up. The specific data exposed—clinical records, billing information, identifiers—affects the downstream risk you're managing.
The settlements from Mission Community Hospital and Datavant show that accountability does arrive eventually. The gap is usually the time between exposure and resolution, during which patients carry risk they didn't create and often can't fully see.
If you're unsure whether your organization's breach response or patient notification workflow holds up to scrutiny, get in touch.
Sources
- 45 C.F.R. §§ 164.400–414, https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D.
- 45 C.F.R. § 164.524, https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524.
- Filing a Health Information Privacy Complaint, U.S. Dep't of Health & Hum. Servs., Off. for Civil Rights, https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
- OCR Reports to Congress on HIPAA Compliance and Data Breaches, U.S. Dep't of Health & Hum. Servs., Off. for Civil Rights, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html.
- Steve Alder, Datavant Group to Pay $900,000 to Settle Class Action Data Breach Lawsuit, HIPAA J. (2024), https://www.hipaajournal.com/datavant-group-class-action-data-breach-settlement/.
- Steve Alder, Mission Community Hospital Pays $1.55M to Settle Data Breach Lawsuit, HIPAA J. (2024), https://www.hipaajournal.com/mission-community-hospital-data-breach-settlement/.