HIPAA Rights Violation: What OCR Enforces and How to Comply

In 2019, OCR launched its HIPAA Right of Access Initiative — and since then, it has settled more than 45 enforcement actions specifically targeting organizations that failed to provide patients timely access to their own medical records. Each case followed the same pattern: a patient filed a complaint, OCR investigated, and the covered entity paid penalties ranging from $3,500 to $240,000. Every one of these cases was a HIPAA rights violation that was entirely preventable.

If your organization handles protected health information, the patient rights provisions under the HIPAA Privacy Rule are not optional courtesies — they are enforceable federal requirements. And OCR has made clear, through years of aggressive enforcement, that it treats these violations as seriously as any security breach.

What Qualifies as a HIPAA Rights Violation Under the Privacy Rule

The HIPAA Privacy Rule (45 CFR §164.524) grants individuals a clear right to access, inspect, and obtain a copy of their PHI maintained in a designated record set. A HIPAA rights violation occurs when a covered entity or business associate denies, delays, or unreasonably restricts that access.

But access rights are only one category. Under 45 CFR Part 164, patients also have the right to:

• Request amendments to their protected health information (§164.526)
• Receive an accounting of disclosures of their PHI (§164.528)
• Request restrictions on certain uses and disclosures (§164.522)
• Receive a Notice of Privacy Practices explaining how their information is used (§164.520)
• File a complaint with OCR if they believe their rights have been violated

Failing to honor any of these rights — whether through organizational neglect, inadequate training, or deliberate obstruction — constitutes a violation that OCR can and does enforce.

The Right of Access Initiative: OCR's Enforcement Track Record

OCR's Right of Access Initiative has produced a clear message: patient access complaints will be investigated and resolved. Between 2019 and 2024, enforcement actions have targeted hospitals, dental practices, behavioral health providers, and health plans of every size.

In one notable 2022 case, a hospital system paid $200,000 after failing to provide a mother with her unborn child's medical records within the required 30-day window. In another, a small dental practice paid $30,000 because its front-desk staff simply did not know how to process an access request. Both were textbook examples of a HIPAA rights violation driven by workforce gaps.

The penalties follow OCR's four-tier structure under the HITECH Act, which ranges from $100 per violation for unknowing violations up to $50,000 or more per violation for willful neglect. Annual caps can reach $1.5 million per violation category. These are not theoretical numbers — they are amounts OCR has actually collected.

Where Healthcare Organizations Consistently Fall Short

In my work with covered entities, I see the same failure points repeatedly. The most common is simply not having a documented process for handling patient access requests. Staff receive a request, are unsure how to respond, and the 30-day deadline passes without action.

Other frequent breakdowns include:

• Overcharging for copies: The Privacy Rule limits fees to a reasonable, cost-based amount. Some organizations still charge per-page rates that exceed what the rule allows.
• Requiring patients to use proprietary portals: Patients have the right to receive their PHI in the format they request, if readily producible. You cannot force them to use your patient portal as the only access method.
• Failing to apply the minimum necessary standard correctly: While the minimum necessary standard applies to many uses and disclosures, it does not apply when the individual requests access to their own records. Some staff mistakenly redact information the patient is entitled to see.
• Ignoring business associate obligations: If a business associate maintains PHI on your behalf, your organization is still responsible for ensuring patient rights are honored. The obligation does not transfer away.

The Workforce Training Requirement Most Organizations Underestimate

Nearly every HIPAA rights violation OCR has pursued could have been prevented by adequate workforce training. Under 45 CFR §164.530(b), covered entities must train all workforce members on policies and procedures related to PHI — including patient rights provisions — and this training must occur within a reasonable period after hiring and whenever material changes occur.

Yet many organizations treat HIPAA training as a once-a-year compliance checkbox focused exclusively on data breaches and password hygiene. Patient rights — the area OCR is most actively enforcing — often receives five minutes of attention in a 30-minute module.

Your front-desk staff, medical records teams, and practice managers need specific, practical training on how to receive and fulfill access requests, how to handle amendment requests, and when to escalate issues. This is exactly the kind of gap that a comprehensive HIPAA training and certification program is designed to close.

Five Steps to Prevent a HIPAA Rights Violation in Your Organization

1. Audit your current access request workflow. Trace the path from the moment a patient submits a request to the moment they receive their records. Identify every point where delay or denial could occur.

2. Document and distribute a written policy. Your access request policy should specify the responsible person, the timeline (30 calendar days, with one 30-day extension if written notice is provided), acceptable formats, and fee schedules compliant with the Privacy Rule.

3. Train every workforce member who touches PHI. This includes clinical staff, administrative personnel, IT teams, and any business associate workforce with access to designated record sets. Partnering with a dedicated platform like HIPAA Certify for workforce HIPAA compliance ensures training stays current with OCR's evolving enforcement priorities.

4. Conduct a risk analysis that includes patient rights. Most organizations limit their HIPAA risk analysis to the Security Rule. Expand yours to assess privacy risks, including the risk that patient rights requests are being mishandled or ignored.

5. Monitor and log every request. Maintain a tracking system that records the date each request is received, the actions taken, and the date the response is provided. This log is your primary evidence of compliance if OCR comes calling.

OCR Is Not Slowing Down — Your Compliance Must Keep Up

OCR's enforcement of patient rights under HIPAA has accelerated every year since the Right of Access Initiative launched. Acting Director Melanie Fontes Rainer has publicly stated that patient access remains a top enforcement priority heading into 2025.

A HIPAA rights violation is not an abstract regulatory risk. It is a specific, documented pattern that begins with one patient complaint and ends with a corrective action plan, a financial penalty, and reputational damage that no healthcare organization can afford. The organizations that avoid this outcome are the ones that invest in documented processes, ongoing workforce training, and a culture that treats patient rights as a core operational obligation — not an afterthought.