In 2023, a dental practice in New England paid a $50,000 settlement to OCR after a patient filed a complaint alleging the practice refused to provide her with a copy of her medical records for over a year. The patient knew something the practice apparently didn't: she had enforceable rights under HIPAA, and a violation of HIPAA rights carries real consequences. This case is far from unusual — OCR's Right of Access Initiative alone has produced over 45 enforcement actions since 2019, all stemming from patients asserting the rights that covered entities failed to honor.

What Constitutes a Violation of HIPAA Rights?

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes a set of individual rights regarding protected health information (PHI). When a covered entity or business associate fails to uphold these rights, it constitutes a violation of HIPAA rights — and patients have a direct path to file complaints with the Office for Civil Rights (OCR).

The specific rights guaranteed under the Privacy Rule include:

  • Right of Access — Patients can request and receive copies of their PHI in a designated record set, typically within 30 days.
  • Right to Amend — Patients can request corrections to inaccurate information in their records.
  • Right to an Accounting of Disclosures — Patients can obtain a record of certain disclosures of their PHI made by the covered entity.
  • Right to Request Restrictions — Patients can ask that certain uses or disclosures of their PHI be limited.
  • Right to Confidential Communications — Patients can request that communications about their health information be delivered through alternative means or to alternative locations.
  • Right to Receive a Notice of Privacy Practices — Covered entities must provide a clear description of how they use and disclose PHI.

Every one of these rights has been the subject of OCR enforcement actions. Healthcare organizations consistently struggle with operationalizing them — particularly the right of access.

The Right of Access: The Most Common Violation of HIPAA Rights

OCR Director Melanie Fontes Rainer has repeatedly stated that the Right of Access Initiative remains a top enforcement priority. Between 2019 and 2024, penalties in these cases ranged from $3,500 to $240,000 — proof that organization size does not determine enforcement risk.

The violation pattern is remarkably consistent: a patient requests their records, the covered entity delays or ignores the request, and the patient files a complaint. In many cases, the organization had no written policy governing record request fulfillment, no designated point of contact, and no tracking mechanism to ensure the 30-day deadline was met.

Your organization must treat record access requests as compliance events. Assign responsibility, track timelines, and document every response. This is not optional — it is a regulatory obligation under 45 CFR §164.524.

How Patients File Complaints for HIPAA Rights Violations

Patients who believe their rights have been violated can file a complaint with OCR electronically through the HHS complaint portal. Complaints must be filed within 180 days of the alleged violation, although OCR may grant extensions for good cause.

OCR evaluates every complaint and determines whether to investigate. When an investigation confirms a violation of HIPAA rights, outcomes range from voluntary corrective action plans to civil monetary penalties. In serious cases, OCR can refer matters to the Department of Justice for criminal prosecution under 42 U.S.C. §1320d-6.

What most healthcare organizations underestimate is this: OCR investigates even small practices. A solo practitioner who refuses a records request faces the same regulatory framework as a large health system. Compliance is not scaled by size — it is binary.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), every member of your workforce must be trained on the policies and procedures relevant to their job functions — including how to handle patient rights requests. This is where violations frequently originate. A front-desk employee who doesn't know a patient has the right to request their records in electronic format creates an enforcement risk every time they interact with patients.

Training must be more than a checkbox exercise. Your workforce needs to understand the minimum necessary standard, proper PHI handling, and the specific rights patients hold under the Privacy Rule. Effective HIPAA training and certification programs build this knowledge systematically and provide documentation that proves compliance during an OCR investigation.

In my work with covered entities, I've seen organizations produce training records that were three years old during an audit. OCR expects training upon hire and whenever material changes are made to policies. If your workforce hasn't been trained on current requirements, you are exposed.

Steps to Prevent HIPAA Rights Violations in Your Organization

Preventing a violation of HIPAA rights requires deliberate, documented action. Here is what I recommend based on current enforcement trends:

  • Conduct a thorough risk analysis — Evaluate how your organization processes patient rights requests and identify gaps. This is a requirement under the Security Rule and supports Privacy Rule compliance.
  • Update your Notice of Privacy Practices — Ensure it accurately reflects every right patients hold and includes current contact information for your privacy officer.
  • Implement a request tracking system — Log every patient access, amendment, and restriction request with dates and assigned staff.
  • Train every workforce member annually — Include specific scenarios involving patient rights, not just generic PHI handling.
  • Audit your business associate agreements — Your business associates handle PHI on your behalf. If they violate patient rights, the compliance failure traces back to your organization.

These are not aspirational goals. They are the baseline expectations OCR applies when evaluating whether a covered entity has met its obligations.

OCR resolved over 800 cases in fiscal year 2023, many involving patient rights complaints. The agency has signaled that it will continue prioritizing individual rights enforcement alongside ransomware and breach-related investigations. Penalties under the Breach Notification Rule and Privacy Rule can reach $2,067,813 per violation category per year under the current inflation-adjusted penalty tiers.

Your compliance program must evolve with these enforcement priorities. A static policy manual and a one-time training session from 2020 will not survive scrutiny. Build a living compliance infrastructure with regular training, documented risk analyses, and clear accountability for patient rights fulfillment.

Partnering with a dedicated workforce HIPAA compliance platform ensures your team stays current on regulatory changes and your organization maintains the documentation OCR expects to see. Enforcement is not slowing down — and neither should your compliance efforts.