Lessons learned from OCR's Right of Access Initiative enforcement

By Valerie Breslin Montague

This article originally appeared in the American Health Law Association Health Law Weekly for October 1, 2021. Reposted with permission.

Over the past two years, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) kept its promise to "vigorously enforce"[1] patients' rights to promptly receive copies of their medical records without being overcharged. The publication of its latest Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative (Initiative) enforcement action on September 10, 2021 marks 20 enforcement actions under the Initiative.

What is the Initiative?

The HIPAA Right of Access Initiative, announced in 2019, allows OCR to emphasize the right of a patient or a patient's personal representative to receive their medical records in a timely manner without being inappropriately charged. Access is a fundamental patient right under HIPAA[2] and OCR has expressed concern that covered entities, including health care providers and health plans, were failing to provide timely access, not providing access, or overcharging.[3] Covered entities, and any business associates tasked with assisting with the provision of medical record access, must ensure that they are following the requirements of the HIPAA Privacy Rule with respect to the provision of access.

What is the Access Requirement?

Subject to limited exceptions[4], the HIPAA Privacy Rule requires that a covered entity afford a patient, or the patient's personal representative, access to inspect and obtain a copy of the protected health information (PHI) held in a designated record set.[5]

In addition to the limited information excepted from the right to access requirement, the Privacy Rule also permits covered entities to deny access requests under certain circumstances. For example, access to PHI created or obtained in the course of research may be temporarily suspended while the research is in progress, if the individual was so informed when they consented to the research.[6] An access request also may be denied if a licensed health care professional determines, in the exercise of their professional judgment, that the access requested is reasonably likely to endanger the life or safety of the requesting individual or another person.[7] Covered entities should take care to determine if any permissible denial is reviewable or non-reviewable. If reviewable, the covered entity must provide the individual with the opportunity to have the denial reviewed by a licensed health care professional who did not participate in the denial determination and who is designated by the covered entity to act as a reviewing official.[8]

The covered entity must act on a request for access no later than 30 days after its receipt of the request.[9] If it grants the request, it must inform the individual and provide access; if it denies the request, it must provide the individual with a written denial.[10] If the covered entity is not able to provide or deny access within 30 days, it may extend its response time for up to 30 days, provided that it notifies the individual of the reasons for the delay and the expected date on which it will act on the request.[11] The covered entity is limited to charging only a reasonable, cost-based fee for the copy of the PHI.[12] Covered entities should note that applicable state law may specify precise amounts or place additional limitations on the fees that a covered entity may charge a patient. In addition, when responding to an access request, health care providers need to consider not only the HIPAA Privacy Rule, but also the 21st Century Cures Act's regulations implementing the information blocking prohibition.[13]

What Takeaways Can We Glean from the Initiative's Enforcement Actions?

Organizations of all types and all sizes are struggling with the Privacy Rule's right of access requirement

In its enforcement highlights, OCR states that lack of patient access to PHI is one of the compliance issues alleged most frequently in complaints to OCR.[14] The enforcement actions under the Initiative highlight that challenges complying with the right of access requirement are not unique to small providers or certain types of clinical entities. OCR entered into settlements with a single-clinician practice, an affiliated covered entity (ACE) comprised of 30 hospitals and additional clinical facilities, and many organizations in between.[15] It settled an alleged right of access violation with a nonprofit organization that provides health care to those living with HIV and AIDS, as well as with a cosmetic plastic surgery practice.[16] Neither organization size nor mission can shield an entity from enforcement.

Entities being investigated by OCR should jump at the chance to resolve a compliance issue through technical assistance

A major theme present in the Right of Access Initiative enforcement actions is that OCR often reached out to the entity and provided technical assistance.[17] In several instances, the entity did not, or did not fully, implement the guidance from OCR, leading to a financial settlement with a corrective action plan (CAP). For example, following a patient complaint, OCR reached out to Riverside Psychiatric Medical Group (RPMG) to provide technical assistance on how to comply with the HIPAA Privacy Rule right of access requirement. The next month, OCR received a second complaint from the RPMG patient who had not received her records. At this point, OCR initiated an investigation, determined that there was a potential HIPAA violation, and entered into a settlement with RPMG.[18]

The RPMG settlement is one of several that involved more than one complaint to OCR by the patient seeking access to medical records.[19] Once an entity receives outreach from OCR, it should work expeditiously to resolve the issue and provide the patient with access, if warranted. In another enforcement action, NY Spine Medicine only responded to OCR's investigation after multiple forms of outreach to the practice over a five-month period.[20] A covered entity should clearly train its workforce on how to handle OCR inquiries in order to ensure they are promptly addressed. Covered entities should take every opportunity offered by OCR to ensure that they are providing appropriate medical record access to individuals; doing so may prevent an enforcement action, or lessen a financial settlement or the length or terms of a CAP.

Covered entities should take special care when analyzing access requests from personal representatives

Many of the Right of Access Initiative enforcement actions concern access requests from personal representatives, often a parent requesting their child's records.[21] Given the variety of state laws at play governing health care services that a minor may consent to on their own, as well as the challenges of sorting through custodial arrangements and whether a person is legally permitted to receive information as a minor's personal representative, HIPAA covered entities need to take care when disclosing records of minors. However, they need to balance their desire to ensure that a requestor is entitled to receive an individual's PHI with their obligation to provide access to such information. Covered entities should carefully analyze access requests from personal representatives, yet ensure that they are providing the requested access in a timely and compliant manner. If a covered entity is prohibited from providing such access, then it should ensure that it is providing the requestor with a notice of the denial in a timely manner consistent with the Privacy Rule's access requirements.

When handling access request scenarios that involve partial access denials, covered entities should comply with both the requirements for the provision of access and the requirements for denial of access

The HIPAA Privacy Rule requires a covered entity to provide all of the requested PHI in response to an access request, unless it has a legal basis to deny access to certain information.[22]

Responding to an OCR investigation that it failed to provide a patient with a copy of her medical record, RPMG defended its access denial, responding that the patient's records contained psychotherapy notes.[23] While HIPAA does not require a covered entity to provide access to psychotherapy notes, it does require access to the remainder of the medical record, and it does require a practice to provide the individual with an explanation of the reason for the partial denial. While the RPMG patient received the portion of her records to which she was entitled, OCR cited Riverside's failure to provide both timely access and an explanation of the partial denial in its settlement of the matter. Covered entities faced with access requests where they are legally-permitted to deny access to a portion of the requested information must ensure that they are providing not only timely access, but also a timely notice of the partial denial.

The Privacy Rule's right of access applies to electronic PHI (ePHI) held in an electronic health record system requested by the individual and directed to a third party

A number of the Right of Access Initiative enforcement actions addressed access requests from individuals directing the covered entity to send PHI to a third party, such as the individual's attorney.[24] The HIPAA Privacy Rule, as limited by the decision in Ciox Health, LLC v. Azar, requires that, if the individual directs a covered entity to send a copy of ePHI directly to another person, designated in writing by the individual, the covered entity must provide the copy to the individual.[25] If the information is maintained electronically and if an electronic copy is requested, the PHI must be provided electronically, so long as it is readily producible in that format.[26] Covered entities must ensure that, even if the requested ePHI is being directed to a third party, that they process requests from individuals for access under the parameters of the Privacy Rule's access requirements.

Covered entities should have a process in place to review and respond to access requests, and workforce members should be trained on the proper legal bases for denial

Multiple Right of Access Initiative enforcement actions addressed scenarios where patients requested their records from the provider more than one time.[27] From the largest health systems to the smallest clinician practices, HIPAA covered entities should ensure that their workforce understands patients' rights to access their health information. Covered entities should have a system in place to respond to access requests, with an emphasis on a timely and complete response. Denials of access should follow a process strictly aligned with the HIPAA regulations, which should always include timely notice to the requesting individual.

In addition to properly fulfilling access requests, an entity is only as strong as its workforce. Training workforce members involved in the provision of access and documenting such training is an important compliance consideration to allow covered entities to demonstrate adherence to the HIPAA right of access requirement. Workforce members must understand the covered entity's process for addressing any issues that arise in the access request process, and must know how to resolve these issues in a timeframe that keeps the entity compliant.

As many of these enforcement actions illustrate, OCR is not hesitating to settle alleged violations of the Privacy Rule's right of access with both a financial penalty and a CAP. This is true even if the access issue is the only identified HIPAA violation; OCR is not waiting for an organization's systemic noncompliance prior to enforcing the Privacy Rule's right of access. HIPAA covered entities can learn from the Initiative's enforcement actions published to date and use these examples as a guide to strengthen compliance programs and processes.

[1]See OCR Settles First Case in HIPAA Right of Access Initiative, (“First Settlement”).

[2]See, e.g., 65 Fed. Reg. 82462, 82463 (Dec. 28, 2000).

[3]See OCR Issues Audit Report on Health Care Industry Compliance with the HIPAA Rules,

[4] A covered entity is not required to provide access to psychotherapy notes, information compiled in anticipation of civil, criminal or administrative litigation, or PHI that is subject to the Clinical Laboratory Improvements Amendments of 1988 (CLIA), to the extent that the provision of access would be prohibited by law, or PHI exempt from the CLIA requirements. 45 C.F.R. § 164.524(a)(1).

[5] 45 C.F.R. § 164.524(a)(1).

[6] 45 C.F.R. § 164.524(a)(2)(iii).

[7] 45 C.F.R. § 164.524(a)(3)(ii).

[8] 45 C.F.R. § 164.524(a)(4).

[9] 45 C.F.R. § 164.524(b)(2)(i).


[11] 45 C.F.R. § 164.524(b)(2)(ii).

[12] 45 C.F.R. § 164.524(c)(4).

[13]See 85 Fed. Reg. 25642 (May 1, 2020).

[14]See Enforcement Highlights: Enforcement Results as of August 31, 2021,

[15]See Resolution Agreement, Oct. 22, 2020, (“Eleventh Settlement”); Resolution Agreement, Jan. 5, 2021, (“Fourteenth Settlement”).

[16]See Resolution Agreement, June 22, 2020, (“Third Settlement”); Resolution Agreement, Mar. 8, 2021, (“Eighteenth Settlement”).

[17]See, e.g., Resolution Agreement, Dec. 11, 2019, (“Second Settlement”); Resolution Agreement, Dec. 17, 2020, (“Thirteenth Settlement”); Resolution Agreement, Mar. 9, 2021, (“Seventeenth Settlement”). 

[18]See Resolution Agreement, Oct. 16, 2020,; OCR Settles Tenth Investigation in HIPAA Right of Access Initiative, (collectively, “Tenth Settlement”).

[19]See, e.g., Resolution Agreement, Aug. 20, 2020, (“Sixth Settlement”); Resolution Agreement, Aug. 21, 2020, (“Seventh Settlement”); see OCR Settles Five More Investigations in HIPAA Right of Access Initiative, Sept. 15, 2020,

[20]See Resolution Agreement, Sept. 29, 2020, (“Ninth Settlement”).

[21]See, e.g., Resolution Agreement, April 28, 2021, (“Nineteenth Settlement”); Resolution Agreement, Aug. 17, 2021, (“Twentieth Settlement”).

[22]See 45 C.F.R. § 164.524(a).

[23]See Tenth Settlement.

[24]See, e.g., Resolution Agreement, Feb. 3, 2021, (“Sixteenth Settlement”); Resolution Agreement, Nov. 11, 2020, (“Twelfth Settlement”).

[25] 45 C.F.R. § 164.524(c)(3)(ii); but, c.f.,Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020) (limiting the individual to direct access to PHI held electronically by the covered entity).

[26] 45 C.F.R. § 164.524(c)(2)(ii).

[27]See, e.g. Ninth Settlement; Tenth Settlement; Twentieth Settlement.

author img


Valerie Breslin Montague


Posts By this author