With nearly 20 settlements so far, the Office for Civil Rights (OCR) is showing its determination to protect patients’ rights to obtain their medical records from healthcare entities.

OCR announced its Right of Access Initiative in 2019 and vowed to “vigorously enforce” patients’ right to access their medical records. OCR continues investigating allegations of improper delays that potentially violated the HIPAA Privacy Rule’s right of access requirements (45 C.F.R. § 164.524).

Former OCR Director Roger Severino said in November 2020, “We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.” There have been seven more settlements since then.1,2

Lessons from Settlements

A key takeaway from the 18 Right of Access settlements is that providers cannot ignore OCR investigations, says Elizabeth Litten, JD, partner and chief HIPAA privacy & security officer with Fox Rothschild in Princeton, NJ.

“If a patient complains and OCR investigates, the provider must do whatever it can to provide the requested records to the patient as quickly as possible,” Litten says. “Many of the settlements involve situations in which the provider failed to provide the complainant’s records even after the OCR began an investigation and provided ‘technical assistance’ designed to facilitate the provider’s compliance.”

Risk managers and compliance officers can learn from the Right to Access settlements, says Daniel Hernandez, JD, partner with Shutts & Bowen in Tampa, FL. He notes all the settlements resulted from a consumer complaint, typically after months of the consumer trying to access records. Healthcare entities must respond in 30 days (or 60 days, if there is a reason to justify the extension).

“If you communicate with these patients when you’re having difficulty locating the records or producing them in the format the patient has requested, I think most patients will understand and agree to a longer period,” Hernandez says. “Most of the settlements come after not just one complaint but a second complaint. There is an initial complaint to OCR, OCR reaches out to the healthcare facility to say there is a complaint and let us help you facilitate the production of these records with technical guidance, but still the records are not produced, and there is a second complaint.”

If OCR pursues a settlement after just one complaint, the lapse of time between the first request and the complaint has been significant.

“It’s not as though the hurdles for complying are insurmountable. The healthcare facilities have these records, and the settlements are not coming as the result of technical violations of HIPAA, such as providing the records in an incorrect format, providing them to the incorrect person, or charging too many fees,” Hernandez says. “These settlements come from just not producing the records on a timely basis. If healthcare facilities did that, they would not find themselves in this situation.”

Create Policies, Train Employees

Healthcare organizations should make sure they maintain written policies on right of access and train employees on how to respond to records requests. Hospital leaders may have a firm grasp on what HIPAA requires in this regard, but frontline employees responding to record requests may not understand the requirements or the potential consequences of not responding.

“They need to understand that when there is a complaint, they need to jump on it right away,” Hernandez says. “They cannot ignore the patient’s request or the complaint about a slow response. I think the problem is a lack of training in many facilities.”

Often, hospitals have not created a good process for tracking records requests, so they become lost in a stack of other documents on some employee’s desk. “It’s not so much a matter of saying no to the request but rather the request gets lost in the system. If the patient doesn’t follow up and make multiple requests, nothing happens,” Hernandez says. “Sometimes, even when the patient does make repeated requests, nothing happens.” Hernandez notes all the recent settlements include a corrective action plan, which brings continued scrutiny after the fine is imposed.

The requirements of the plans are straightforward and derived from HIPAA — the same procedures hospitals should have been following in the first place. A corrective action plan means OCR will be watching closer.

“The enforcement mechanisms available to OCR are unique and have significant teeth to them,” Hernandez says. “I don’t get the sense that the average person at a hospital who works in the front office has a good appreciation for the potential consequences of not giving a patient his or her records in 30 days. They think the only potential consequence is that the patient will get a little upset but eventually they’ll get their records and everything will be fine.”

Those employees should be educated on the size of the fine OCR could impose on the hospital, and the possibility that such a fine could result in termination for the responsible employee.

“With that knowledge, I think they would be more cognizant and more responsible,” Hernandez says. “Educating staff on the seriousness of this rule and the potential consequences would address a lot of the problems you see here.”


  1. HHS.gov. OCR settles eleventh investigation in HIPAA Right of Access initiative. Nov. 12, 2020.

  2. HHS.gov. OCR news releases & bulletins.