A Mother Waited 18 Months for Her Son's Medical Records. Then OCR Got Involved.

In 2019, Cignet Health of Prince George's County, Maryland, refused to give 41 patients access to their own medical records. HHS Office for Civil Rights didn't just send a warning letter. They issued a $4.3 million penalty — the largest at the time for a HIPAA Privacy Rule violation. The patients had done everything right. They submitted written requests. They followed up. And the covered entity simply ignored them.

That case should keep every compliance officer up at night. Because the HIPAA Privacy Rule provides patients the right to request access to their protected health information, amendments to that information, and restrictions on how it's used. These aren't suggestions. They're federal requirements backed by real enforcement teeth.

If your staff doesn't know what patients can legally request — or how fast you need to respond — you're exposed. Let me walk you through exactly what the law demands and where organizations keep tripping up.

What Exactly Can Patients Request Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule provides patients the right to request several specific actions from covered entities and their business associates. These rights are codified in 45 CFR Part 164, Subpart E, and they're more expansive than most front-desk staff realize.

1. Access to Their Own PHI

Under the Privacy Rule's Right of Access standard (45 CFR § 164.524), patients can request a copy of almost all protected health information maintained in a designated record set. That includes medical records, billing records, insurance enrollment records, and clinical lab results.

You must provide the records in the format the patient requests — if it's readily producible. If they want electronic copies of ePHI, and your system can generate them, you hand over electronic copies. Period.

Your deadline? 30 calendar days from the date of the request. You can extend once by another 30 days, but only with a written explanation to the patient.

2. Amendments to Their PHI

Patients have the right to request that you amend inaccurate or incomplete information in their designated record set. Under 45 CFR § 164.526, you can deny the request under specific circumstances — for example, if the information is accurate and complete, or if your organization didn't create the record. But you must respond in writing within 60 days, and if you deny the request, you must explain why and inform the patient of their right to submit a statement of disagreement.

3. Restrictions on Uses and Disclosures

Here's one that catches providers off guard. Patients can request that you restrict how their PHI is used or disclosed for treatment, payment, or healthcare operations. Under 45 CFR § 164.522, you're generally not required to agree to the restriction — with one critical exception.

If a patient pays out of pocket in full for a service and asks you not to disclose that information to their health plan, you must comply. The HITECH Act made this mandatory in 2013, and I still encounter practices that have no workflow to handle it.

4. Confidential Communications

Patients can request that you communicate with them through alternative means or at alternative locations. A domestic violence survivor might ask that appointment reminders go to a personal email rather than a shared home phone. You must accommodate reasonable requests — no questions asked about why.

5. An Accounting of Disclosures

Under 45 CFR § 164.528, patients can request a record of certain disclosures of their PHI made during the prior six years. This doesn't include disclosures for treatment, payment, or operations — but it does cover disclosures to law enforcement, public health authorities, and others. Your organization must be tracking these disclosures to comply.

OCR's Patient Access Enforcement: The Numbers Don't Lie

If you think these rights are theoretical, look at OCR's HIPAA Right of Access Initiative, launched in 2019. As of 2025, OCR had settled more than 45 cases under this initiative alone. Penalties ranged from $3,500 to over $240,000 per case.

In October 2022, Optum Medical Care of New Jersey paid $160,000 after failing to provide a patient's records within the required timeframe. In December 2022, Memorial Hermann Health System settled for $240,000 for the same type of violation.

These weren't massive data breaches. They weren't hacking incidents. They were access request failures — the simplest, most preventable category of HIPAA violation. OCR has made it clear: denying or delaying patient access to PHI is a top enforcement priority. You can review the full list of enforcement actions on the HHS enforcement outcomes page.

Where Organizations Keep Failing

I've audited dozens of covered entities, from large hospital systems to solo behavioral health practices. The same failure patterns show up everywhere.

Front-Desk Staff Don't Know the Rules

The person who first receives a patient's access request often has zero training on the 30-day timeline, allowable fees, or format requirements. They pass the request to a supervisor. The supervisor forgets. Thirty days become sixty. OCR gets a complaint.

This is fixable. Organizations that invest in role-specific workforce training — like our HIPAA training for nurses and clinical workflow — give their teams concrete procedures instead of vague awareness.

Verbal Disclosures Create Quiet Violations

Patients also have the right to request restrictions on verbal disclosures. Think about this: a patient tells your front desk not to call their home number and leave messages about appointments. A staff member does it anyway. That's a potential Privacy Rule violation — and it happens more often than any audit will reveal.

Our Verbal Disclosures: Watch What You Say course addresses exactly these scenarios, because they're the ones that generate complaints to OCR.

Mental Health Records Add Another Layer of Complexity

Psychotherapy notes occupy a special protected category under the Privacy Rule. Patients generally do not have a right to access psychotherapy notes (45 CFR § 164.524(a)(1)(i)). But they do have the right to access the rest of their mental health records — treatment summaries, diagnoses, medication records, and billing information.

I've seen behavioral health practices deny access to all mental health records, claiming everything qualifies as "psychotherapy notes." That's wrong, and it's exactly the kind of error that triggers enforcement. If your practice handles sensitive mental or behavioral health data, HIPAA training designed for mental and behavioral health providers is not optional — it's essential.

How Fast Must You Respond? A Quick-Reference Breakdown

  • Access requests: 30 days (one 30-day extension with written notice)
  • Amendment requests: 60 days (one 30-day extension with written notice)
  • Accounting of disclosures: 60 days (one 30-day extension with written notice)
  • Restriction requests: No specific deadline in the rule, but unreasonable delay invites scrutiny
  • Confidential communication requests: Must be accommodated within a reasonable timeframe

Miss any of these windows, and you've handed OCR the basis for a corrective action — or worse.

What "Reasonable" Fees Actually Look Like

You can charge patients a reasonable, cost-based fee for copies of their records. But "reasonable" has a ceiling. HHS has clarified that this includes only the cost of labor for copying, supplies, and postage. You cannot charge for search and retrieval time.

Many states have fee schedules that are more restrictive than HIPAA's baseline. In my experience, the safest path is to keep fees minimal — or waive them entirely for electronic copies generated from an EHR. The reputational cost of an OCR complaint dwarfs any revenue from copy fees.

The Five-Step Process Every Covered Entity Needs

Here's the workflow I recommend to every organization I consult with:

  • Step 1: Designate a single point of contact for all patient access, amendment, and restriction requests.
  • Step 2: Log every request with the date received. Start the clock immediately.
  • Step 3: Verify identity, then confirm the format the patient wants.
  • Step 4: Fulfill the request within 30 days (for access) or 60 days (for amendments and accountings). If you need an extension, send written notice before the deadline.
  • Step 5: Document everything — the request, your response, the date fulfilled, and any communications. This documentation is your defense if OCR comes calling.

The Privacy Rule Isn't Going Away — Neither Is Enforcement

The HIPAA Privacy Rule provides patients the right to request access, amendments, restrictions, confidential communications, and accountings of disclosures. These rights have been in place since 2003. OCR's enforcement of them has only intensified.

In 2026, with OCR continuing to expand its Right of Access Initiative and HHS signaling further rulemaking around patient access to ePHI, your compliance posture needs to be airtight. That means written policies, trained staff, documented workflows, and a culture that treats patient requests as legal obligations — because that's exactly what they are.

Browse our full HIPAA training catalog to find courses built for your team's specific compliance gaps. Because the next OCR settlement shouldn't have your organization's name on it.