Article | April 26, 2022

The Office of Civil Rights Continues to Enforce HIPAA Right of Access Initiative

HIPAA Right of Access Initiative Overview

The HIPAA Right of Access Initiative was created to support patients’ rights to timely and affordable access to their health records.

The HIPAA Privacy Rule protects individual’s rights to access their health information under 45 CFR §164.524.  Generally, the HIPAA Privacy Rule requires:

“HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity.”1

The “designated record set” is defined at 45 CFR §164.501 to include:

“…a group of records maintained by or for a covered entity” that includes medical and billing records; enrollment, payment, and claims adjudication data; and case or medical management record systems data.2

HIPAA generally requires covered entities to provide access to medical records within 30 days of a patient’s request and also specifies what fees providers can charge.3

 OCR Enforcement

Department of Health and Human Services (HHS) Office of Civil Rights’ (OCR) enforcement of this initiative began in 2019.  Bayfront Health St. Petersburg paid $85,000 to the HHS OCR after failing to provide records to a mother for her minor daughter in a timely manner.4

In September of this year, the OCR resolved its 20th enforcement with an $80,000 settlement.

Children’s Hospital & Medical Center (CHMC) failed to provide a mother:

“with timely access to her minor daughter’s medical records. CHMC provided some records but did not provide all of the requested records to the parent’s multiple follow-up requests.”5

The OCR also recently announced four additional enforcements totaling $232,000 in settlements in addition to corrective action plans, and one civil money penalty of $100,000.6  These we not related to a parent/minor relationship.

 The OCR Not Backing Down

In the HHS press release, OCR Director Lisa J. Pino is quoted as saying:

“OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.” 7

The most recent enforcements include individual doctors, medical groups, and specialty treatment centers.   As patients file complaints, if they feel they have not been given timely access, enforcements will not be limited to large organizations.  Individual providers and small groups alike are subject to the Privacy Rule.

All providers should have a plan to ensure they meet the 30-day limit to provide the medical records to ensure they are in compliance with the HIPAA Right of Access Initiative.



Data problem? Analytics? Regulations? Data privacy? Humanity? Coffee and talk?  You can reach me at or 312.933.2752.

Josh Leventhal is an expert in healthcare data and analytics and is Managing Director with Kohler HealthCare. He has over 15 years of hands-on experience in healthcare data and analytics solving problems for providers, payers, and life science organizations.  Josh started his career in management consulting analyzing data for the largest joint defense litigations in the country before applying his skills and expertise at local startups to assist the Medicaid a managed care organization and medical research industries.  His experiences as a consultant, product manager and developer allow him to work effectively with both business and technology stakeholders.