In September 2023, OCR settled with a health plan for $40,000 after the organization failed to provide a patient with timely access to their own medical records. It was not a data breach. It was not a cyberattack. It was a straightforward failure to honor patient privacy rights — and it is one of the most common violations OCR investigates. If your organization treats HIPAA as primarily a security issue, you are missing the half of the regulation that generates the most complaints.

The Full Scope of Patient Privacy Rights Under the Privacy Rule

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes a set of individual rights that every covered entity and business associate must operationalize. These are not aspirational guidelines. They are enforceable requirements, and OCR has repeatedly demonstrated willingness to pursue organizations that ignore them.

Here is what the Privacy Rule guarantees to individuals regarding their protected health information (PHI):

  • Right of Access: Patients can request and receive copies of their PHI in a designated record set, typically within 30 days.
  • Right to Request Amendments: Patients can ask a covered entity to amend inaccurate or incomplete PHI.
  • Right to an Accounting of Disclosures: Patients can request a log of certain disclosures of their PHI made in the prior six years.
  • Right to Request Restrictions: Patients may ask that certain uses or disclosures of PHI be limited, including disclosures to health plans for services paid out of pocket.
  • Right to Confidential Communications: Patients can request to receive communications about their health information through alternative means or at alternative locations.
  • Right to a Notice of Privacy Practices: Every covered entity must provide a clear, written notice explaining how PHI is used and what rights the patient holds.

Each of these rights carries specific compliance obligations. Missing even one creates exposure to OCR enforcement action.

The Patient Access Failures OCR Keeps Penalizing

OCR's Right of Access Initiative, launched in 2019, has resulted in more than 45 enforcement actions and settlements totaling millions of dollars. The pattern is consistent: a patient requests their records, the covered entity delays or refuses, and the patient files a complaint with OCR.

In my work with covered entities, I find the same failure points repeatedly. Front desk staff do not know the 30-day deadline. Health information management departments require patients to use proprietary portals instead of honoring requests in the format the patient prefers. Organizations charge unreasonable fees that exceed the cost-based limits set by HHS guidance.

These are not sophisticated compliance problems. They are workforce training problems. Your staff must understand that when a patient requests access to their PHI, federal law requires your organization to respond — promptly and in the manner requested, when feasible.

Notice of Privacy Practices: More Than a Form to Sign

Healthcare organizations consistently struggle with the Notice of Privacy Practices (NPP). Many treat it as an intake formality — a piece of paper handed to the patient at check-in and never discussed again. The Privacy Rule requires far more.

Your NPP must accurately describe how your organization uses and discloses PHI, the individual's rights, and your legal duties. It must be updated when material changes occur. Health plans must distribute the NPP at enrollment and again within 60 days of any material revision. Direct treatment providers must make a good-faith effort to obtain a written acknowledgment of receipt.

If your NPP was last updated before the Omnibus Rule changes took effect in 2013, you are already out of compliance. If it does not mention the right to restrict disclosures for services paid out of pocket — a provision added by the HITECH Act — it needs immediate revision.

The Minimum Necessary Standard and Patient Rights

Patient privacy rights intersect directly with the minimum necessary standard. When your workforce accesses PHI to fulfill an access request, the scope is the designated record set — not the entire clinical database. When disclosing PHI for treatment, payment, or healthcare operations, your organization must limit access to what is reasonably necessary.

This means role-based access controls, clear policies on who can view what, and audit logs that verify compliance. A receptionist should not have the same level of PHI access as a treating physician. Implementing the minimum necessary standard is both a Privacy Rule and Security Rule obligation.

Workforce Training That Actually Protects Patient Privacy Rights

Every HIPAA violation traced back to a workforce member who did not understand patient privacy rights is, at its core, a training failure. The Privacy Rule at 45 CFR §164.530(b) requires that your covered entity train all workforce members on policies and procedures relevant to their job functions. New members must be trained within a reasonable period after joining. Retraining is required whenever material changes are made.

Generic annual slideshows do not satisfy this standard. Your training must address the specific rights patients hold, the timelines your staff must meet, the fees you can and cannot charge, and the consequences of noncompliance. Investing in a structured HIPAA training and certification program ensures your workforce understands these obligations at every level — from intake coordinators to compliance officers.

Building a Privacy Rights Compliance Checklist

If you want to test your organization's readiness, start with these questions:

  • Can your staff articulate the six core patient privacy rights without looking them up?
  • Does your organization have a documented process for responding to access requests within 30 days?
  • Has your Notice of Privacy Practices been reviewed and updated since the Omnibus Rule?
  • Do you conduct a risk analysis that accounts for improper denials of access, not just data breaches?
  • Are workforce training records maintained and current for every employee?

If you answered no to any of these, your organization has gaps that OCR can and will identify. A comprehensive compliance platform like HIPAA Certify can help you close those gaps systematically — from policy documentation to workforce training tracking.

OCR Is Watching — Act Before the Complaint

Patient privacy rights are not a secondary concern buried in regulatory appendices. They are the centerpiece of HIPAA's purpose. OCR receives approximately 30,000 complaints per year, and right-of-access complaints consistently rank among the most investigated categories.

Your organization cannot afford to treat these rights as optional or delegate them to outdated paper processes. Train your workforce. Update your Notice of Privacy Practices. Respond to every access request within the legal timeframe. The cost of compliance is always less than the cost of an OCR investigation.