In 2023, OCR settled with a health system for $40,000 after it failed to provide a patient timely access to her own medical records — a right guaranteed under HIPAA since 2003. The case was part of OCR's ongoing Right of Access Initiative, which has produced more than 45 enforcement actions since 2019. Every one of those actions hinged on the same issue: organizations failing to honor the privacy rule grant to patients that the federal government considers non-negotiable.

If your covered entity treats patient rights as a courtesy rather than a legal mandate, you are exposed. Here is exactly what the Privacy Rule requires and how to operationalize each right across your workforce.

The Full Scope of the Privacy Rule Grant to Patients

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes a specific set of individual rights over protected health information (PHI). These are not suggestions. They are enforceable obligations that apply to every covered entity and, in certain situations, to business associates.

The core rights the Privacy Rule grants to patients include:

  • Right of Access — Patients can inspect and obtain a copy of their PHI in a designated record set (§164.524).
  • Right to Amend — Patients can request corrections to inaccurate or incomplete PHI (§164.526).
  • Right to an Accounting of Disclosures — Patients can receive a list of certain disclosures made of their PHI over the prior six years (§164.528).
  • Right to Request Restrictions — Patients can ask that your organization limit how PHI is used or disclosed for treatment, payment, or healthcare operations (§164.522(a)).
  • Right to Confidential Communications — Patients can request to receive communications through alternative means or at alternative locations (§164.522(b)).
  • Right to a Notice of Privacy Practices — Patients must receive a clear explanation of how their PHI may be used and what rights they hold (§164.520).

Each of these rights carries specific response timelines, documentation requirements, and permissible exceptions. Missing any of them puts your organization squarely in OCR's enforcement crosshairs.

The Right of Access: Where Most HIPAA Violations Occur

OCR's Right of Access Initiative has made one thing unmistakably clear — the privacy rule grant to patients regarding access to their own records is the most commonly violated patient right. Penalties in these cases have ranged from $3,500 to $240,000.

Under §164.524, your organization must act on an access request within 30 calendar days. A single 30-day extension is permitted if you notify the patient in writing with a reason and an expected completion date. The rule also caps fees: you may charge only a reasonable, cost-based fee for copying, and you cannot charge for search-and-retrieval time.

Healthcare organizations consistently struggle with access requests that arrive through non-standard channels — verbal requests, patient portal messages, or requests directed to clinical staff rather than health information management. Your policies must account for all of these. A request does not need to be on a specific form to be valid.

Operationalizing Patient Rights Across Your Workforce

The minimum necessary standard often dominates HIPAA training conversations, but workforce training on patient rights is equally critical — and far more frequently neglected. Every staff member who interacts with patients or handles PHI needs to understand the privacy rule grant to patients and how to route requests appropriately.

Front-desk staff, for example, should know that a patient asking for "my records" has triggered a legal obligation under §164.524. Clinical staff should understand that a patient's verbal request to restrict a disclosure to a health plan — which became mandatory under the Omnibus Rule of 2013 when the patient pays out of pocket in full — must be honored, not dismissed.

Building this competency starts with structured HIPAA training and certification that goes beyond basic privacy awareness and addresses the practical workflows your teams face daily.

How Your Notice of Privacy Practices Sets Expectations

Your Notice of Privacy Practices (NPP) is the foundational document that communicates the privacy rule grant to patients at your organization. Under §164.520, the NPP must describe each individual right, explain how to exercise those rights, and identify a contact person or office for complaints.

OCR has cited organizations for NPPs that are outdated, incomplete, or never actually distributed. After the Omnibus Rule, all NPPs required updates to reflect breach notification obligations and the expanded right to restrict disclosures. If your NPP has not been revised since 2013, it is almost certainly non-compliant.

Review and update your NPP at least annually and every time there is a material change to your privacy practices. Post it prominently in your facility and on your website, and document that patients have been offered a copy.

Accounting of Disclosures and Amendment Requests: The Overlooked Rights

The right to an accounting of disclosures under §164.528 requires your organization to track and report disclosures made for purposes other than treatment, payment, and healthcare operations. Many organizations lack the systems to generate these reports accurately, which creates a compliance gap that only surfaces when a patient or OCR asks for proof.

Amendment requests under §164.526 also demand a disciplined process. You have 60 days to act, with one 30-day extension permitted. If you deny an amendment, you must provide a written denial with the basis for the decision, inform the patient of their right to submit a statement of disagreement, and include that statement in the record going forward.

Documenting these workflows and training your team to execute them is not optional — it is a regulatory requirement under the Privacy Rule's administrative provisions.

Build a Compliance Infrastructure That Protects Patient Rights

Honoring every patient right under the Privacy Rule is not just about avoiding penalties. It is the baseline expectation for any organization that handles protected health information. When your risk analysis identifies gaps in how patient requests are received, tracked, and fulfilled, those gaps need immediate remediation.

Start by auditing your current processes against each of the six core patient rights. Identify which departments handle requests, how those requests are logged, and whether your response timelines are being met. Then invest in workforce HIPAA compliance programs that translate regulatory requirements into daily operational habits.

OCR is not slowing down its enforcement of patient rights. The organizations that treat the privacy rule grant to patients as a living operational commitment — not a once-a-year training checkbox — are the ones that stay off the enforcement list.