In July 2022, the HHS Office for Civil Rights wrapped up 11 HIPAA enforcement actions in a single month — all of them for the same violation: failing to give patients access to their own medical records. The list included hospitals, surgical groups, dental practices, and psychiatric consultants. Fines ranged from $3,500 to $65,000 per case.
This is what an enforcement blitz looks like. OCR launched its Right of Access Initiative back in 2019 and has been methodically working through complaints ever since. By July 2022, they had settled 38 cases under the initiative alone. The pattern is consistent: a patient requests their records, the provider delays or refuses, the patient files a complaint, and OCR shows up.
The thing worth noting here is the size of the organizations getting hit. These are not health conglomerates with armies of compliance staff. They are small practices — a dental office in Baltimore, a podiatry group in Illinois, a psychiatric consultants’ practice in Massachusetts. If you handle protected health information in any capacity, the assumption that you are too small to be noticed is not a safe one to operate on.
HIPAA’s Right of Access provision is one of the clearest patient rights in the law: individuals are entitled to a copy of their health records, typically within 30 days of requesting them. Withholding records, charging unreasonable fees, or requiring unnecessary authorization forms to fulfill the request are all violations. None of these are gray areas.
OCR has made clear that this initiative is not winding down. If your organization handles patient data, your records request process is worth a close look — before a complaint forces one.
