In January 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its 46th enforcement action under its HIPAA Right of Access Initiative — a settlement with Optum Medical Care, a large multi-specialty physician group operating across New Jersey and Southern Connecticut (formerly Riverside Medical Group and Riverside Pediatric Group). The case involved multiple patient complaints about delayed access to medical records, a $160,000 settlement, and a one-year corrective action plan.
But the Optum case is far more than a single enforcement event. As of December 2025, OCR has now reached its 54th Right of Access enforcement action — with no sign of slowing down. The initiative has spanned two presidential administrations, generated over $9.4 million in penalties since 2024 alone, and established a clear enforcement pattern that every healthcare provider must understand.
What Happened: The Optum Medical Care Case
Optum Medical Care received multiple complaints from patients and parents alleging they had not been provided with medical records in a timely manner. OCR’s investigation found that patients had waited between 84 and 231 days to receive records after submitting their requests.
This is a significant violation. Under the HIPAA Privacy Rule’s Right of Access provision, covered entities are required to provide individuals with access to their requested records within 30 calendar days of receiving the request. A single 30-day extension is permitted — but only if the covered entity notifies the patient in writing within the initial 30-day window, explains the reason for the delay, and provides a new completion date. That makes the maximum permissible timeline 60 days under any circumstances.
Waiting 84 days is more than a month past the outer limit. Waiting 231 days — nearly eight months — is an egregious failure with serious consequences.
OCR determined that Optum’s delayed responses constituted violations of the HIPAA Privacy Rule’s Right of Access provision. The resolution included:
- A $160,000 settlement payment
- Implementation of a corrective action plan requiring workforce training, revised policies and procedures for right of access requests, and regular reporting of records requests to OCR
- One year of OCR monitoring
The HIPAA Right of Access Rule: What Providers Must Know
The HIPAA Privacy Rule’s Right of Access provision (45 CFR § 164.524) is one of the most patient-centric and actively enforced requirements in healthcare compliance. Here is what it requires:
Timeliness
- Providers must respond to patient access requests within 30 calendar days of receiving the request
- One extension of up to 30 additional days is permitted, but only if written notice is provided to the patient within the initial 30-day period explaining the reason and the new expected completion date
- The absolute maximum timeline is 60 days — there are no further extensions permitted
Format
- Records must be provided in the form and format requested by the individual, if readily producible in that format
- If the requested format is not readily producible, the provider must provide it in a readable hard copy or an agreed-upon alternative electronic format
Fees
- Providers may charge only reasonable, cost-based fees covering labor, supplies, and postage
- Charging excessive fees for records access is itself a potential HIPAA violation
Scope
- The right applies to PHI in the provider’s designated record set — which includes medical records, billing records, and other records used to make decisions about the individual
- Parents and legal guardians generally have the right to access minor children’s PHI as personal representatives
- Business associates who manage record requests on behalf of covered entities do not absolve the covered entity of responsibility — the covered entity remains accountable
Permitted Exceptions
Access may be denied under limited circumstances, including when disclosure is reasonably likely to endanger the life or physical safety of the individual or another person, or when the PHI was compiled in anticipation of litigation. Denials must be documented and communicated in writing, and most denials trigger a right to review.
OCR's Right of Access Initiative: From the 46th to the 54th Action
OCR launched its Right of Access Initiative during the first Trump Administration in 2019. What began as a targeted crackdown has become one of the most consistent and bipartisan enforcement programs in federal healthcare oversight — continuing uninterrupted across both the Trump and Biden administrations and into the current administration.
The initiative has resulted in enforcement actions ranging from small settlements of under $20,000 against individual practices to six-figure penalties against major health systems. A few notable actions that illustrate the breadth of enforcement since 2024:
- March 2024 — Phoenix Healthcare: Took 323 days to fulfill a single records request. Initially faced a $250,000 proposed penalty; settled for $35,000 after demonstrating compliance efforts.
- April 2024 — Hackensack Meridian Health: Received a $100,000 penalty for denying a personal representative access to a resident’s medical records.
- August 2024 — American Medical Response: Faced a $115,200 civil monetary penalty after taking 370 days to respond to a single patient request for records in their EHR system.
- November 2024 — Rio Hondo Community Mental Health Center: Paid $100,000 for failure to provide timely access — marking OCR’s 51st Right of Access enforcement action.
- January 2025 — Memorial Healthcare System: Settled for $60,000, marking OCR’s 52nd enforcement action. OCR had initially proposed a $100,000 civil monetary penalty.
- March 2025 — Oregon Health & Science University: Received a $200,000 civil monetary penalty for failure to provide timely access to a patient’s personal representative — OCR’s 53rd action.
- December 2025 — Concentra, Inc.: Settled for $112,500 after a patient made six separate records requests beginning in February 2018 and did not receive them until March 2019 — marking OCR’s 54th Right of Access enforcement action.
OCR’s enforcement actions in 2025 totaled 21 cases — up from 16 in 2024 — and in early 2026, OCR Director Paula M. Stannard confirmed that the Right of Access enforcement initiative will continue in 2026.
The New Risk Analysis Initiative: OCR's Second Active Enforcement Front
While Right of Access enforcement continues, providers in 2024 and 2025 also faced a second, parallel enforcement initiative. In late 2024, OCR launched its Risk Analysis Initiative, specifically targeting noncompliance with the risk analysis requirement of the HIPAA Security Rule.
OCR reported a 264% increase in reported large breaches involving ransomware attacks since 2018, and has stated that failing to conduct a comprehensive risk assessment significantly increases the risk of ransomware attacks. The Risk Analysis Initiative resulted in seven enforcement actions in its first six months alone, with settlements ranging from $10,000 to $350,000.
In early 2026, OCR confirmed the Risk Analysis Initiative will expand to also include risk management — meaning providers will need to demonstrate not just that they conducted a risk analysis, but that they took action to reduce identified risks to a low and acceptable level.
For healthcare providers, this means two active enforcement fronts now require simultaneous attention: patient records access and security risk management.
Common Reasons Providers Fail Right of Access Audits
OCR’s enforcement record reveals consistent, avoidable patterns:
Workflow failures Records requests get lost, misrouted, or deprioritized when they arrive via mail, fax, or patient portal without a clear intake and tracking process. Without a centralized tracking system, requests can sit for weeks or months without action.
Staff training gaps Front desk and administrative staff are often the first point of contact for records requests, but may not know the 30-day rule, what constitutes a valid request, or when and how to grant extensions. Training that isn’t repeated or reinforced quickly becomes outdated.
Third-party vendor reliance without oversight Some providers delegate records management to third-party vendors or HIM companies. The Optum case is a reminder that the covered entity remains responsible regardless of who handles the operational side. Business associate agreements must include enforceable timelines and monitoring provisions.
Parental and personal representative access gaps Multiple OCR enforcement actions have specifically involved failures to provide parents or legal guardians with timely access to minor children’s PHI. Practices that serve pediatric populations need dedicated policies for parental access requests.
EHR and records system fragmentation When a patient’s records exist across multiple systems, locations, or time periods, assembling a complete response can be operationally complex. But OCR does not accept operational complexity as a defense for delays beyond 30 days.
What a Corrective Action Plan Looks Like
When OCR settles a Right of Access case, the covered entity typically agrees to a Corrective Action Plan (CAP) that includes some or all of the following, similar to what Optum Medical Care agreed to:
- Policy and procedure revision: Review and rewrite right of access policies to explicitly require responses within 30 days, define the extension process, and assign accountability for each step
- Workforce training: Train all staff who handle records requests — including front desk, clinical, and administrative personnel — on HIPAA Right of Access requirements, with documentation of completion
- Request tracking and reporting: Implement a system to log every records request, track the date received and date fulfilled, and report outstanding requests to OCR on a defined schedule
- OCR monitoring: Accept a monitoring period (typically one to three years) during which OCR reviews compliance reports and may conduct follow-up investigations
The corrective action plan is not the end of the matter. OCR actively monitors compliance throughout the agreed period, and failures during monitoring can trigger additional enforcement.
How to Protect Your Practice: A Compliance Checklist
Use the following checklist to assess your current right of access compliance posture:
Request intake
- Do you have a defined process for receiving, logging, and routing records requests regardless of how they arrive (mail, fax, portal, in-person)?
- Is there a designated staff member responsible for tracking each open request?
Timeline compliance
- Does your process ensure a response within 30 calendar days?
- Is there a documented procedure for issuing written extensions, including the notification requirement and new deadline?
- Do you have a system that flags requests approaching the 30-day mark?
Workforce training
- Have all staff who interact with records requests been trained on HIPAA Right of Access requirements?
- Is training documented, dated, and repeated at defined intervals?
Vendor oversight
- Do your business associate agreements with third-party HIM or records management vendors include specific right of access timelines?
- Do you actively monitor vendor performance against those timelines?
Parental and representative access
- Do your policies address personal representative access, including parents accessing minor children’s records?
- Are staff trained on the specific rules around minors’ PHI and parental rights?
Documentation
- Are you maintaining clear records of every request received, the response provided, the date fulfilled, and any extensions granted?
- Would this documentation withstand an OCR audit?
How Neolytix Can Help
Managing HIPAA compliance alongside clinical operations is genuinely difficult, particularly for smaller practices without dedicated compliance staff. Neolytix works with healthcare organizations to build the operational infrastructure that prevents compliance failures before they become OCR complaints.
Our services include HIPAA-compliant medical billing, revenue cycle management, and administrative operations support — all designed to keep your practice running efficiently and compliantly. If you need support reviewing your patient access workflows or broader compliance posture, contact Neolytix to speak with our team.
