The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with an occupational health services provider headquartered in Texas to resolve a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The settlement resolves an investigation into a complaint alleging the provider failed to provide timely access to an individual’s protected health information (PHI). OCR determined that the provider did not provide access to the requested PHI within the required 30-day timeframe. The settlement marks the 54th enforcement action under OCR’s Right of Access Enforcement Initiative.
The HIPAA Privacy Rule’s Right of Access provisions require covered entities to provide individuals or their personal representatives access to requested health information within 30 days, with the possibility of a single 30-day extension. OCR enforces the HIPAA Privacy Rule, which establishes national standards for protecting medical records, limits the use and disclosure of PHI, and grants individuals certain rights, including the right to access and obtain copies of their health information at a reasonable cost.
The enforcement action arose from a complaint alleging that an individual was not provided timely access to his health information despite making six requests beginning in February 2018. The individual did not receive access until March 2019, more than a year after the initial request.
OCR’s investigation concluded that the provider failed to respond to the individual’s requests in accordance with the HIPAA Privacy Rule’s Right of Access requirements. On June 29, 2021, OCR issued a Notice of Proposed Determination proposing a civil money penalty, after which the provider requested a hearing before an administrative law judge. Prior to the administrative hearing, OCR and the provider resolved the matter through a settlement agreement dated May 5, 2025, which included a payment of $112,500.
Compliance Perspective
Issue
The HIPAA Privacy Rule’s Right of Access provisions require HIPAA-covered entities to provide individuals, or their personal representatives, with timely access to PHI maintained in a designated record set. Access must be provided no later than 30 calendar days from receipt of the request, with the option of one 30-day extension when necessary. Covered entities must act promptly in responding to access requests and may charge only a reasonable, cost-based fee. Failure to respond to requests in a timely manner may result in enforcement action.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s Right of Access provisions to ensure they clearly address how requests are received, tracked, processed, and fulfilled within required timeframes, including documentation of any permitted extensions. Periodic policy reviews conducted with compliance or regulatory support may help identify gaps and ensure alignment with current requirements.
- Train staff on the HIPAA Privacy Rule upon hire, annually, and when issues or updates arise. Ensure employees responsible for receiving or processing record access requests understand the right of access requirements, including the importance of timely responses and appropriate communication with individuals. Med-Net Academy offers the course Privacy and HIPAA Compliance, which provides an overview of privacy requirements through case study examples and reviews key topics such as PHI, permitted disclosures, and common privacy risks related to social media, texting, and email.
- Conduct periodic audits to confirm that Right of Access requests are handled in accordance with established policies and regulatory requirements. Audit activities, including targeted reviews or mock assessments performed with external compliance support, can help identify trends, validate processes, and inform quality improvement efforts, with findings reported to the QAPI/QAA Committee as appropriate.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*