Right of Access Compliance

A Contemporary Risk Management and Regulatory Imperative 

Written By Dr. Stacey R. Atkins, PhD, MSW, LSW, CPC, CIGE 

The HIPAA Right of Access (ROA) provision continues to stand as a vital patient-rights protection and a persistent enforcement focus for OCR. Since 2022, the OCR has escalated enforcement activity—issuing multiple monetary settlements ranging from small practices to large organizations, including significant penalties such as $200,000 against Oregon Health & Science University (OHSU) in 2025. This article updates the scholarly discussion with recent data, reviews enforcement activity, and underscores strategic imperatives for compliance through inclusive workforce education, robust policy frameworks, centralized oversight, and ongoing auditing.

Introduction

Since its introduction, HIPAA’s Right of Access—which empowers patients to access their protected health information (PHI)—has been elevated by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as a leading enforcement priority. OCR’s Right of Access Initiative, instituted in 2019, has remained dynamically active, with continued resolution of complaints and repeated emphasis across enforcement years 2022 through 2025.

Regulatory Framework of the Right of Access

Under HIPAA, individuals are entitled to access their PHI in “designated record sets” (45 C.F.R. § 164.524). Covered entities must provide this access within 30 days of receiving a request, with a single 30-day extension permitted if documented and communicated to the patient.

Key requirements include:

• Timeliness: Records must be provided within the prescribed timeframes.
• Reasonable fees: Covered entities may charge only cost-based fees for labor, supplies, and postage.
  
• Format: Information must be provided in the form and format requested, if readily producible.
• Exceptions: Access may be denied under limited circumstances, such as if disclosure is reasonably likely to endanger life or safety.

Failure to meet these requirements can result in HIPAA violations, OCR investigations, and reputational harm.

Recent Enforcement Activity (2022–2025)

OCR’s enforcement record demonstrates an ongoing pattern of provider noncompliance with the Right of Access. Key examples include:

2022:
- Multiple ROA settlements involving dental practices, including one finalized in December 2022.
- Memorial Hermann Health System settled for $240,000 over delayed access requests.

2023:
- OCR resolved 13 enforcement actions totaling $4.18 million, nearly doubling 2022’s penalties.
- Life Hope Labs was fined $16,500 for delayed records release.

2024:
- OCR imposed $170,000 in penalties against a dental practice and a Los Angeles County mental health program.

2025:
- Oregon Health & Science University (OHSU) was fined $200,000 for failing to provide timely access to a patient’s representative.
- OCR also continued settlements tied to ransomware incidents, such as the Comstar breach affecting over 585,000 individuals.

Enforcement Trend Analysis

Recent enforcement illustrates key trends:

• Widespread focus: ROA cases involve providers of all sizes and types.
• Significant financial liability: Penalties range from modest fines to $200,000+.
• Business associate accountability: Covered entities are liable for their partners’ noncompliance.
• Cybersecurity overlap: Breaches and ransomware are increasingly tied to ROA violations.

Compliance Challenges in Healthcare Organizations

Despite regulatory clarity, many organizations continue to struggle with operationalizing the Right of Access. Common barriers include:

• Lack of workforce training: Staff may be unaware of timelines, fee structures, or documentation requirements.
• Decentralized recordkeeping: PHI may be stored across multiple EHR platforms, making access requests cumbersome.
• Inconsistent policies: Outdated or incomplete policies may lead to variable practices across departments.
• Cultural barriers: Some providers remain reluctant to share full records, particularly behavioral health information, despite HIPAA requirements.

These challenges highlight the need for strong compliance frameworks that integrate policy, training, and oversight.

Risk Mitigation Through Compliance Programs

Right of Access compliance should be viewed not only as a legal requirement but as a risk management strategy. By embedding compliance into organizational culture, healthcare leaders can reduce the likelihood of OCR investigations and enhance patient satisfaction.

Effective strategies include:

1.  Policy development  

     Create and regularly update written policies aligned with HIPAA and state privacy rules.

2.  Workforce training  

     Ensure all staff—front desk, nursing, HIM, billing, IT—understand their responsibilities.

3.  Monitoring and auditing  

     Conduct regular internal audits of access requests, timeliness, and fees.

4.  Centralized oversight  

     Designate a privacy officer or compliance team to oversee all Right of Access processes.

5.  Patient engagement  

     Communicate clearly with patients regarding their rights, timelines, and any applicable fees.

6.  Cybersecurity integration  

     Align ROA procedures with breach and ransomware response protocols.

Conclusion

The HIPAA Right of Access reflects a core principle of modern healthcare: empowering patients with information to participate in their care. Recent enforcement actions from 2022–2025 highlight the continued priority OCR places on this right, with penalties applied to providers of all sizes.

Healthcare leaders must proactively address this risk by developing robust policies, ensuring comprehensive workforce training, monitoring compliance, and integrating cybersecurity protections. In doing so, organizations protect themselves from regulatory enforcement while upholding the trust and dignity of the patients they serve.

About the Author

Dr. Stacey R. Atkins, PhD, MSW, LMSW, CPC, CIGE

Dr. Adkins is a Compliance Specialist working as a team member in the Education Department of the American Institute of Healthcare Compliance. Her career spans leadership roles with the Office of the State Inspector General, Department of Behavioral Health and Developmental Services, and HRSA, among others.

References:

• Department of Health and Human Services (HHS), Office for Civil Rights. (2016). Individuals’ right under HIPAA to access their health information 45 CFR § 164.524. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
  
• Department of Health and Human Services (HHS), Office for Civil Rights. (2020). OCR settles fourteenth investigation in HIPAA right of access initiative. Retrieved from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/banner/index.html
  
• Department of Health and Human Services (HHS), Office for Civil Rights. (2021). HIPAA right of access initiative continues: OCR announces five more settlements. Retrieved from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/right-of-access-initiative/index.html
  
• Nixon Peabody. (2025, March 13). OCR continues HIPAA Right of Access enforcement with $200,000 penalty. Retrieved from https://www.nixonpeabody.com/insights/articles/2025/03/13/ocr-continues-hipaa-right-of-access-with-cmp
  
• American Data Network. (2022). HIPAA Right to Access compliance challenges. Retrieved from https://www.americandatanetwork.com/healthcare-quality/hipaa-right-to-access-compliance
  
• DMC Law. (2024, February 9). HIPAA Enforcement 2023: A year in review. Retrieved from https://dmclawllc.com/2024/02/09/hipaa-enforcement-2023-a-year-in-review
  
• Saul Ewing LLP. (2025, May). OCR continues HIPAA enforcement with ransomware-related settlements. Retrieved from https://www.saul.com/insights/alert/hhs-ocr-continues-active-hipaa-enforcement-three-new-settlements

Copyright © 2025 American Institute of Healthcare Compliance All Rights Reserved