The HHS Office for Civil Rights (OCR) announced that it has settled five more investigations in its HIPAA Right of Access Initiative, an enforcement priority intended to support the right to timely access to health records at an affordable price.1

All the settlements stemmed from patients or family members complaining a healthcare organization had not responded appropriately to requests for patient records. OCR issued guidance on access rights in 2016, advising hospitals and other HIPAA-regulated entities regarding the expectations and requirements inherent in the patient’s right to access of his or her PHI in the designated record set (DRS).2

The DRS is the body of information used to make decisions about the patient’s care or payment for care. In 2019, OCR launched the enforcement initiative that resulted in these most recent settlements.

“The OCR means business,” says Sarah E. Coyne, JD, partner with the Quarles & Brady law firm in Madison, WI. “Rumor has it that additional guidance or regulations will be issued imminently in light of the Ciox decision relating to third party requests for electronic PHI and appropriate parameters including fees, which changed the access landscape.”3

Coyne notes the HIPAA Right of Access Initiative may receive a boost from the concurrent requirements under the Office of the National Coordinator for Health Information Technology (ONC) information blocking rules.4 Both provide a basis for legal action against those who stand between patients and their medical records.

Much confusion remains about when healthcare entities can and cannot release information under HIPAA, says Kim Stanger, JD, partner with Holland & Hart in Boise, ID. The confusion is most common among smaller physician practices and similar healthcare operations, he says. “Part of the risk manager’s job is to identify and correct those misunderstandings,” Stanger says. “Some people still think that if a patient requests information that was obtained from another hospital or provider, the hospital can’t provide that information to the patient. That’s not true under HIPAA.”

Similarly, healthcare workers may think HIPAA prevents providing lab results because they must be provided directly from the lab, or that parents may not obtain patient information even if they are the personal representative under HIPAA.

“It’s very easy for the medical records offices to adopt these false beliefs. They get lax and don’t follow up on anything they’re not sure about,” Stanger says. “OCR is demonstrating that this is not acceptable and that healthcare organizations must provide the proper training and support for the people in your organization who make these decisions.”

Coyne says there are some lessons to be learned from the enforcement initiative and how the enforcement initiative has played out to date:

  • The patient has the right to all the PHI in his or her DRS, no matter how old it is, where it is stored, or where it originated.
  • There are few circumstances in which OCR will decide it was justified for a hospital to provide access to a patient who requests it. For example, if the basis is the information was not used for making decisions about the patient, the hospital must be able to support that justification.
  • The hospital can require the request to be in writing but cannot create an unreasonable barrier. For example, it cannot require the person to come to the hospital health information management department in person.
  • Patient complaints matter. The settlements have been prompted by patients complaining to OCR that they could not access their medical information in a timely fashion.
  • Timing matters. Hospitals that take longer than the prescribed 30-day timeline (plus a 30-day extension) risk penalties. The period may be more restrictive under state law. Hospitals should rigidly adhere to these timing parameters. The settlements show OCR is willing to penalize even short delays beyond those timelines.
  • It is a good time for hospitals to review and update their right to access policies, although new guidance may be imminent and will need to be incorporated quickly upon release.
  • Covered entities should ensure their business associates are aware of the access enforcement initiatives and are up to speed in the associated requirements.
  • Hospitals must not charge excessive fees. HIPAA allows a reasonable cost-based fee, subject to state law, and no search or retrieval fees, regardless of state law.
  • Cooperating with OCR is required — and a good way to try to mitigate the size of the penalty/settlement.

The settlements from this initiative should not be surprising, says Alisa L. Chestler, JD, CIPP/US, shareholder with Baker Donelson in Nashville. The process includes many moving parts, so healthcare organizations sometimes stumble when responding to records requests, she says.

“In our mobile world, people are used to having information at their fingertips. They see no reason that their medical information should be any different. Patients know the information exists electronically and, therefore, want to have what they need,” Chestler says. “Frankly, this is also more a matter of who is complaining, as many of the complaints come from the patient’s lawyers looking for the information on the patient’s behalf. They know that many times the providers, especially the smaller providers, are not equipped to handle such requests quickly or efficiently.”

Still, most cases are a lesson in what not to do, Chestler says. Many initially were contacted by OCR and given “technical advice” with an intention to close the matter, she notes. However, the providers did not send the records even after the technical advice, and the OCR likely was frustrated with their inaction and non-compliance. Aside from the monetary penalties, each has either a one- or two-year monitoring period, which is an expensive and onerous process.

“What was most interesting about many of the cases is that they appear to be in specific areas in which there might have been more complex issues, including mental health, substance abuse, and minor records,” Chestler says. “Providers should know in advance their understanding of the state laws and be able to react quickly and appropriately. The laws surrounding minors, custodial parents, and related issues can be particularly complicated. Providers should have at least a baseline understanding of the issues so they are prepared.”


  1. OCR settles five more investigations in HIPAA Right of Access initiative. Sept. 15, 2020.
  2. Individuals’ right under HIPAA to access their health information 45 CFR § 164.524. Content last reviewed Jan. 31, 2020.
  3. Ciox Health, LLC v. Alex Azar, et al. 
  4. HHS extends compliance dates for information blocking and health IT certification requirements in 21st Century Cures Act final rule. Oct. 29, 2020.