OCR settlement underscores HIPAA’s 30-day record access rule

HHS’ Office for Civil Rights (OCR) announced a settlement with Concentra, Inc. on December 16, 2025, resolving allegations that the provider failed to provide timely access to an individual’s protected health information (PHI) within HIPAA’s required timeframe (HHS press release). Concentra agreed to pay $112,500, and OCR described the action as its 54th enforcement under the agency’s Right of Access initiative (HHS press release).

The case highlights a recurring point OCR has emphasized for years: the HIPAA “Right of Access” is enforceable, time-bound, and applies even when vendors and business associates are involved in processing requests (HHS FAQ 2050). For patients, it’s a reminder that delays are not just inconvenient—they can implicate a legal right.

What happened in the Concentra case

OCR’s public announcement describes a patient making six requests for records beginning in February 2018 and not receiving access until March 2019—more than a year later (HHS press release). In the underlying administrative matter, OCR proposed a civil money penalty in June 2021 and the case proceeded toward a hearing before an administrative law judge before settling (Notice of Proposed Determination; Settlement Agreement).

OCR’s proposed determination includes a detailed timeline and findings, including:

• The access request sought an electronic copy of designated records (medical and billing) (Notice of Proposed Determination).
• OCR found Concentra received the request on March 1, 2018, and the request was forwarded internally but “was not processed” (Notice of Proposed Determination).
• OCR found the records were ultimately sent on March 21, 2019—399 days after the initial request—after a disputed invoice was adjusted (Notice of Proposed Determination; Settlement Agreement).

The patient right at the center: “Right of Access”

HIPAA’s Privacy Rule gives individuals a right to inspect and obtain a copy of PHI about them in a “designated record set” (with limited exceptions), for as long as the information is maintained (HHS Right of Access guidance; 45 C.F.R. § 164.524). That often includes medical records, billing records, lab reports, and other records used to make decisions about the individual (HHS Right of Access guidance).

Timing is one of the most operationally important pieces of the right:

• A covered entity must act on a request for access no later than 30 days after receipt (HHS FAQ 2050).
• If it can’t act in time, it may take one extension of up to 30 additional days, but only if it gives a written statement (within the first 30 days) explaining the delay and stating the completion date (HHS FAQ 2050).

What triggers the HIPAA access timeline (and what shouldn’t be required)

HIPAA access requests don’t have to be complicated, but small process barriers can quietly consume the full 30-day window. OCR’s guidance is explicit that covered entities can’t use “unreasonable measures” that create barriers to access or unreasonably delay it (HHS Right of Access guidance).

Practical markers of a “clean” request include:

• In writing (if the provider requires it) and clearly asking for the specific records or date range (covered entities may require written requests, but can’t use that requirement to create undue delay) (HHS Right of Access guidance).
• Clear delivery instructions (email, mail, portal download, or another readily producible format) and, if sending to a third party (like an attorney), clearly identifying where to send it (HHS Right of Access guidance).
• Avoiding “in-person only” hurdles: for example, OCR notes providers generally can’t require someone to travel in-person to request records if the person asks for records to be mailed or emailed (HHS Right of Access guidance).

Fees and format: two places requests often stall

Many patient access disputes aren’t about whether a record exists—they’re about format and fees.

Format: electronic, paper, or “readily producible”

Under OCR’s access guidance, individuals can request the form and format they want (paper, electronic file type, etc.) if it is “readily producible,” and covered entities must provide an electronic copy when the PHI is maintained electronically, subject to limited exceptions (HHS Right of Access guidance).

Fees: limited to specific categories

HIPAA permits only a reasonable, cost-based fee limited to certain copying-related items (e.g., labor for copying, supplies, and postage in some cases) and excludes search and retrieval charges (HHS Right of Access guidance; 45 C.F.R. § 164.524).

In the Concentra matter, OCR’s investigation describes an invoice for $82.57 that was disputed and later adjusted to $6.50 before paper records were mailed (Settlement Agreement; Notice of Proposed Determination). The settlement documents don’t establish a new fee rule, but they show how fee disputes can combine with delays to create multi-month access failures.

When can access be denied?

HIPAA’s Right of Access is broad, but it isn’t unlimited. The regulation and OCR guidance describe narrow categories of information excluded from access (for example, psychotherapy notes and information compiled in reasonable anticipation of litigation), along with limited “reviewable” and “unreviewable” grounds for denial (HHS Right of Access guidance; 45 C.F.R. § 164.524). When a covered entity denies access (in whole or part), it generally must provide a written denial that explains the basis and describes how to complain to OCR (45 C.F.R. § 164.524).

What this means for patients’ rights (practical steps)

The Concentra settlement doesn’t change the HIPAA rulebook, but it does reinforce that OCR will bring enforcement actions when access breaks down (HHS press release). For patients and families, the most practical takeaway is to make requests in a way that preserves clarity and the timeline.

Filing a HIPAA complaint when access fails

OCR’s complaint process is one formal escalation route when a patient believes their HIPAA rights were violated, including Right of Access issues (HHS OCR complaints). Complaints are strongest when they include the original request, follow-ups, proof of delivery, and any fee communications.

The bottom line

OCR’s Concentra settlement is a concrete reminder that the right to obtain a copy of medical records is not merely a policy preference—it is an enforceable requirement with deadlines, fee limits, and responsibilities that continue even when third parties process requests (HHS FAQ 2050; Settlement Agreement).

For plaintiff firms and legal ops teams, timely access is also an evidence problem: delayed production can postpone case evaluation, settlement posture, and client guidance. Operationally, the “Right of Access” standard provides a compliance baseline that can inform how record requests are drafted, tracked, escalated, and documented—especially in a broader environment where many firms report record delays as a systemic bottleneck (see: The Medical Record Crisis).

Sources: HHS OCR press release (Dec. 16, 2025), OCR–Concentra Settlement Agreement, OCR Notice of Proposed Determination, HHS HIPAA Right of Access guidance, HHS FAQ 2050, 45 C.F.R. § 164.524, OCR complaints.

This article is for informational purposes only and does not constitute legal or medical advice. Consult with qualified professionals for advice specific to your situation.