In 2019, the Office for Civil Rights (OCR) launched its HIPAA Right of Access Initiative — and since then, it has settled or imposed penalties in more than 45 enforcement actions specifically targeting organizations that failed to provide patients timely access to their medical records. Penalties have ranged from $3,500 for a small dental practice to $240,000 for a hospital system. If your covered entity hasn't revisited its access request workflows recently, you're operating at significant risk.

What the HIPAA Right of Access Actually Requires

Under the HIPAA Privacy Rule at 45 CFR § 164.524, individuals have the HIPAA right to access and obtain a copy of their protected health information (PHI) maintained in a designated record set. This includes medical records, billing records, insurance enrollment records, and any other records used to make decisions about the individual.

Your organization must act on a valid access request within 30 calendar days. A single 30-day extension is permitted only if you provide the individual with a written explanation of the delay and the date by which you will fulfill the request. There is no exception for backlogs, staffing shortages, or EHR transitions.

The individual gets to choose the format. If they want an electronic copy and you maintain the records electronically, you must provide it in the electronic form and format requested — if readily producible. If not, you must agree on an alternative electronic format or provide a hard copy.

Fees: The Rule Most Organizations Get Wrong

OCR has been unequivocal: you cannot charge individuals excessive fees for copies of their own PHI. Under 45 CFR § 164.524(c)(4), you may only charge a reasonable, cost-based fee that includes the cost of copying (including supplies and labor), postage if the individual requests mailing, and preparation of an explanation or summary if the individual agrees to one in advance.

You may not charge search and retrieval fees, overhead, or any per-page fee that exceeds your actual labor and supply costs. Many state laws cap these fees further. In my work with covered entities, fee disputes are one of the fastest paths to an OCR complaint — and they are among the easiest violations for OCR to confirm.

The Workforce Training Requirement That Triggers Violations

The most common reason a HIPAA right of access complaint reaches OCR is not a policy failure — it's a frontline workforce failure. A front-desk employee doesn't recognize a valid request. A health information management (HIM) clerk routes the request to the wrong department. A provider insists on an in-person visit before releasing records.

Under 45 CFR § 164.530(b), every covered entity must train all workforce members on its HIPAA policies and procedures, including those related to individual rights. This is not optional and must be documented. Ensuring your workforce understands the HIPAA right of access — including timelines, permissible fees, and acceptable formats — is the single most effective way to avoid an enforcement action.

Investing in comprehensive HIPAA training and certification for your workforce ensures that every team member who touches access requests understands the regulatory requirements before a complaint reaches OCR's desk.

Narrow Exceptions: When You Can Deny Access

The HIPAA right of access is broad, but it is not unlimited. You may deny access without giving the individual an opportunity to request a review in the following circumstances:

  • Psychotherapy notes (maintained separately from the medical record)
  • Information compiled in reasonable anticipation of litigation
  • PHI maintained by certain research laboratories as part of a clinical trial, if the individual agreed to the restriction and the trial is still in progress
  • Records subject to the Privacy Act (5 U.S.C. § 552a) if denial meets the requirements of that law

There are also reviewable grounds for denial — situations where a licensed healthcare professional determines that access is reasonably likely to endanger the life or physical safety of the individual or another person. In these cases, the individual must be informed of their right to have the denial reviewed by a different licensed professional.

Every denial must be in writing, must state the basis, and must describe the individual's right to file a complaint with OCR. Document everything. In enforcement cases, OCR scrutinizes denials closely.

How OCR Investigates HIPAA Right Complaints

OCR's investigation process is straightforward — and unforgiving. When an individual files a complaint, OCR contacts your organization and requests documentation: your access request policy, the specific request at issue, all internal communications, your fee schedule, and evidence of workforce training.

If your organization cannot produce a documented policy, evidence that the request was logged and tracked, or proof that your workforce received HIPAA right of access training, OCR treats the case as a presumptive violation. Most Right of Access Initiative settlements have involved organizations that simply could not demonstrate compliance — even if they eventually fulfilled the request.

OCR Director Melanie Fontes Rainer stated in 2023 that the Right of Access Initiative remains a top enforcement priority. There is no sign of that changing.

Five Steps to Protect Your Organization Now

Based on OCR enforcement patterns and corrective action plans from settled cases, here are the concrete steps your covered entity should implement immediately:

  • Centralize intake: Designate a single point of contact or department for all access requests. Log every request with a date-stamped tracking system.
  • Automate deadline tracking: Build 30-day and 60-day alerts into your workflow. Do not rely on manual calendaring.
  • Audit your fee schedule: Compare your current charges against OCR's fee guidance. Eliminate any search-and-retrieval charges or inflated per-page costs.
  • Train annually — and document it: Every workforce member who interacts with patients or medical records should complete annual training that specifically addresses the HIPAA right of access. A robust workforce HIPAA compliance program should cover access rights, the minimum necessary standard, and breach notification obligations.
  • Review your Notice of Privacy Practices: Ensure your NPP clearly describes the individual's right to access PHI, the process for making a request, and the right to file a complaint. This is a regulatory requirement under 45 CFR § 164.520.

Business Associates and the Access Obligation

If a business associate maintains PHI in a designated record set on behalf of your covered entity, you remain responsible for fulfilling access requests. Your business associate agreements (BAAs) must clearly define each party's obligations for responding to access requests, including timelines and format requirements.

OCR will not accept "our vendor was slow" as a defense. Structure your BAAs to include performance standards and escalation paths for access requests. Monitor business associate compliance as part of your ongoing risk analysis under 45 CFR § 164.308(a)(1).

The Cost of Getting This Wrong

The financial penalties from OCR's Right of Access Initiative tell only part of the story. Corrective action plans imposed alongside monetary settlements typically require two to three years of OCR monitoring, mandatory policy revisions, workforce retraining, and regular compliance reporting. The operational burden is substantial — and entirely avoidable.

The HIPAA right of access is one of the most patient-visible elements of the Privacy Rule. When your organization handles it well, you build trust. When you don't, patients file complaints — and OCR acts. Get ahead of this now by ensuring your policies, workflows, and workforce training meet the standard OCR expects.