A Mother Couldn't Get Her Own Son's Medical Records — Then the Feds Got Involved

In 2019, a small medical practice in Florida denied a mother access to her minor child's immunization records. She asked three times. Each time, the front desk told her to "submit a formal request in writing." She did. They ignored it. Eventually she filed a complaint with the Office for Civil Rights (OCR), and the practice ended up paying a $100,000 settlement.

One hundred thousand dollars — because a front desk employee didn't understand patient privacy rights under HIPAA.

I've seen variations of this story play out across hundreds of covered entities. Not because people are malicious, but because they're undertrained and overconfident. Your staff probably handles dozens of records requests per month. And I'd bet money at least a few of those interactions are handled incorrectly.

This post breaks down what patient privacy rights actually require of your organization, where practices most commonly fail, and the real financial consequences of getting it wrong.

What Are Patient Privacy Rights Under HIPAA?

The HIPAA Privacy Rule — codified at 45 CFR Part 164, Subpart E — grants individuals a specific set of rights regarding their protected health information (PHI). These aren't suggestions. They're enforceable mandates, and OCR has shown repeatedly that it will pursue organizations that violate them.

Here's what patients are legally entitled to:

  • Right of Access: Patients can request and receive copies of their medical records in the format they prefer, within 30 days.
  • Right to Amend: Patients can ask you to correct inaccurate or incomplete PHI.
  • Right to an Accounting of Disclosures: Patients can request a log of who their PHI has been shared with outside of treatment, payment, and healthcare operations.
  • Right to Request Restrictions: Patients can ask you to limit how you use or share their PHI, though you're not always obligated to agree.
  • Right to Confidential Communications: Patients can request that you contact them only through specific channels — a personal cell phone instead of a home number, for example.
  • Right to a Notice of Privacy Practices: Patients must receive a clear explanation of how their PHI will be used.

Every one of these rights has been the basis of an OCR enforcement action. Every single one.

The HIPAA Right of Access Initiative: OCR's Favorite Enforcement Tool

If you haven't been paying attention to OCR's Right of Access Initiative, you need to start now. Since HHS launched this enforcement priority in 2019, it has resulted in more than 45 enforcement actions — and the penalties keep climbing.

Here are a few real examples:

  • Banner Health (2023): $1,250,000 settlement after failing to provide a patient timely access to their records.
  • NY Spine Medicine (2022): $300,000 penalty for ignoring a patient's records request for over two years.
  • Diabetes, Endocrinology & Lipidology Center, Inc. (2020): $5,000 settlement — a small practice that simply failed to respond within the required timeframe.

The pattern is clear. OCR doesn't care if you're a 10,000-bed hospital system or a solo practitioner. If you violate patient privacy rights, you're a target. You can review the full list of enforcement actions on the HHS enforcement outcomes page.

Why Small Practices Get Hit the Hardest

Large health systems have compliance departments, legal counsel, and dedicated privacy officers. Small practices have an office manager who also handles billing, scheduling, and the occasional plumbing emergency.

I've consulted with practices where the person handling records requests had never read the Privacy Rule. Not once. They were going off what they'd been told by the last person in the role — who had also never read it.

This is exactly why investing in proper HIPAA workforce training isn't optional. It's the single most cost-effective way to prevent the kind of violations that trigger OCR investigations.

The 5 Most Common Patient Privacy Rights Violations I've Seen

After two decades of consulting, these are the mistakes I encounter most frequently. Your organization is probably making at least one of them right now.

1. Charging Excessive Fees for Record Copies

HIPAA allows you to charge a reasonable, cost-based fee. It does not allow you to charge $1.25 per page for a 500-page record. Some states have specific fee schedules. OCR has made clear that excessive fees constitute a denial of access.

2. Exceeding the 30-Day Response Window

You get 30 calendar days from the date of the request. You can extend that by 30 more days with written notice. But "we'll get to it eventually" is not a valid extension. I've watched practices blow past 90 days and act shocked when the complaint arrives.

3. Requiring Patients to Pick Up Records In Person

If a patient asks for their records to be mailed or emailed, you must accommodate that request — even if it's inconvenient for your workflow. Telling someone they have to drive across town to pick up a CD-ROM is a violation.

4. Refusing Requests from Personal Representatives

Parents, legal guardians, and individuals with healthcare power of attorney have the same access rights as the patient in most situations. Turning away a personal representative because "only the patient can request records" is wrong and sanctionable.

5. Failing to Train Staff on Access Procedures

This is the root cause of nearly every violation I've listed. Your front desk staff, your medical records team, your nurses — they all need to know how patient privacy rights work. Not in theory. In practice. Every time they answer a phone or respond to a portal message.

How Long Does a Practice Have to Respond to a Medical Records Request?

A covered entity must provide access to requested PHI within 30 calendar days of receiving the request. If the records are maintained offsite, the entity may take a one-time 30-day extension, but must notify the patient in writing with the reason for the delay and the expected completion date. Failure to meet this timeline is a direct violation of 45 CFR § 164.524 and has been the basis of dozens of OCR enforcement actions.

Building a Culture That Actually Respects Patient Privacy Rights

Policies are worthless if nobody reads them. Posters are worthless if nobody looks at them. The only thing that consistently moves the needle is training that's specific, scenario-based, and regular.

Here's what I recommend to every organization I work with:

  • Annual training for all workforce members — not just clinical staff. Front desk, billing, IT, janitorial. Anyone who could come into contact with PHI.
  • Role-specific modules that address the exact situations each team member faces. A receptionist's HIPAA risks look nothing like a network administrator's.
  • Documented sign-off for every training session. OCR will ask for proof. "We talked about it at a meeting" doesn't count.
  • Quarterly refreshers focused on real-world scenarios like records requests, breach notification, and minimum necessary standards.

If you're looking for a structured approach that covers all of these requirements, explore the full HIPAA training catalog at HIPAACertify to find role-appropriate courses for your entire workforce.

What Happens When You Get It Right

Organizations that take patient privacy rights seriously don't just avoid fines. They build trust. Patients talk. They leave reviews. They refer friends. I've watched practices transform their reputations simply by handling records requests promptly and respectfully.

On the flip side, a single OCR investigation — even one that doesn't result in a penalty — can consume hundreds of staff hours, require expensive legal counsel, and damage your standing with patients and payers alike.

OCR Isn't Slowing Down in 2026

The current HHS leadership has signaled that enforcement of the HIPAA Right of Access will remain a top priority through 2026 and beyond. The HHS guidance on individual access rights was updated to address electronic PHI (ePHI) access through patient portals, telehealth platforms, and third-party apps.

If your organization still treats records requests as an afterthought — or worse, as an annoyance — you're operating on borrowed time.

The Bottom Line for Your Organization

Patient privacy rights aren't an abstract legal concept. They're the daily interactions your team has with real people who want access to their own health information. Every delayed response, every excessive fee, every untrained receptionist is a potential six-figure liability.

Train your people. Document everything. Respond within 30 days. And stop treating compliance like a checkbox.

Because OCR isn't checking boxes. They're writing settlement checks — and the money comes from your budget.