Right of Access Violation Examples: What OCR Enforcement Reveals About Provider Failures

HIPAA Right of Access Violation Examples
ChartRequest is Proudly Partnered With

Right of Access violation examples usually look simple at first: a request sat too long, a patient had to ask again, a production was incomplete, or a fee or format decision did not match the rule. For compliance and HIM leaders, those details point to the same underlying question: can the release of information workflow produce proof under pressure?

That pressure usually lands on HIM and compliance teams before it becomes an OCR matter. They are fielding patient calls, attorney follow-ups, portal messages, faxed requests, identity questions, old records, vendor queues, and state law deadlines at the same time. Most teams know the rule. The day-to-day pain comes from a release process that spreads the work across too many places and makes the record harder to prove after the fact.

At ChartRequest, we treat Right of Access compliance as an operational control problem. The policy matters, but the workflow determines whether access happens on time, completely, and with a defensible record. A policy binder cannot prove when a request arrived, who owned it, what records were in scope, how the response was completed, or why any delay, fee, extension, or denial was allowed.

OCR’s enforcement record keeps returning to that gap. Patients did not receive access. Providers could not show a clean path from request intake to complete fulfillment. The practical takeaway is clear: the workflow has to make the compliant action routine, visible, and defensible.

What Counts as a Right of Access Violation?

A Right of Access violation occurs when a covered entity fails to give an individual or personal representative timely access to protected health information. The rule applies to PHI in a designated record set, unless a narrow HIPAA exception applies. Under 45 CFR 164.524, covered entities must act on an access request no later than 30 days after receipt. They must provide the requested form and format if readily producible. Fees for copies must be reasonable and cost-based.

Right of Access violation examples include late access, ignored requests, incomplete records, improper denials, excessive fees, and refusal to provide a readily producible electronic format. HIPAA sets the federal outer limit. State law may require faster fulfillment, so release workflows should apply the stricter deadline and avoid treating the HIPAA clock as the only rule that matters.

When leaders compare Right of Access violation examples, they should resist the easy explanation that one staff member missed one request. OCR cases show a different pattern: the workflow lacked ownership, escalation, scope control, or documentation.

What Does OCR’s Right of Access Initiative Target?

OCR’s Right of Access Initiative focuses on whether individuals can actually get their records in practice. In December 2025, HHS described its Concentra settlement as the 54th enforcement action under the initiative. HHS said the case involved failure to provide timely access within 30 days. HHS also stated that individuals or personal representatives should not need multiple requests and an OCR complaint to obtain health information.

The initiative matters because OCR looks past the written policy. A 30-day policy cannot compensate for a queue that misses the deadline. Fee rules do little if staff apply them inconsistently. Vendor support still leaves risk when the covered entity cannot see aging requests before they become complaints. For a broader operating model, our guide to HIPAA ROI compliance explains how access rights, authorization review, fee handling, delivery, and documentation fit into daily release work.

HHS resolves some HIPAA cases through resolution agreements, corrective action plans, and monitoring. HHS explains that civil money penalties may be imposed when informal resolution is not satisfactory. That can include failed demonstrated compliance or failed corrective action.

What Do OCR Right of Access Cases Have in Common?

The strongest Right of Access violation examples show how ordinary release of information breakdowns become enforcement issues. Providers, request histories, and penalty amounts differ. One operating pattern is consistent: the organization could not prove timely, complete, controlled fulfillment.

Violation PatternWhat It Looks LikeControl That Reduces Risk
Late accessThe request ages past 30 days before fulfillment or denial.Centralized intake, deadline alerts, escalation rules.
Repeated requestsThe individual asks again before anyone resolves the request.Duplicate-request detection and leadership escalation.
Partial productionSome records are released, but the request remains incomplete.Designated record set mapping and final-completion review.
Vendor dependencyA business associate handles fulfillment, but the provider loses visibility.Vendor performance monitoring and aging-request reporting.
Weak documentationStaff acted, but the organization cannot reconstruct the timeline.Audit trail notes for receipt, verification, scope, fee, delivery, and closure.

Reviewing Right of Access violation examples should not stop at penalty amounts. The more useful question: which part of the operating model broke? If the workflow cannot show what happened, compliance leaders are left defending a policy instead of proving performance. Our article on HIPAA audit log requirements covers the broader evidence layer behind that proof.

Concentra: Six Requests and Access Over a Year Later

In December 2025, OCR announced a $112,500 settlement with Concentra. HHS said the individual made six requests beginning in February 2018. He did not receive access to his health information until March 2019, over a year later. OCR determined that Concentra failed to take timely action under the Right of Access standard.

Six requests should never be treated as six isolated touchpoints. A defensible workflow flags aging requests, duplicate outreach, and stalled handoffs early enough for leadership to intervene before the individual files an OCR complaint.

Oregon Health & Science University: Partial Fulfillment Was Not Enough

In March 2025, HHS announced a $200,000 civil money penalty against Oregon Health & Science University. HHS said OHSU provided part of the requested records in April 2019. It did not provide all requested records until August 2021, nearly a year after OCR notified OHSU of potential noncompliance. OCR also emphasized that provider responsibility continues when a business associate handles access requests.

Partial production does not close the request. When records go out in pieces, the workflow still needs a complete-request status, an outstanding-records checklist, and a documented final delivery point.

ACPM Podiatry: Extreme Delay and No Effective Response to OCR

ACPM Podiatry is one of the clearest examples of how delay can escalate. OCR’s Notice of Proposed Determination said the complainant received a copy of his medical records on July 23, 2020. That was 618 days after his November 13, 2018 written access request. OCR also said the complainant asserted that the records were incomplete. The final civil money penalty was $100,000.

Access failures can move beyond the front desk quickly. Once OCR is involved, the provider also needs a disciplined investigation response process, including timely production of requested evidence.

Coastal ENT: Access Requests Waited Months for a Response

OCR received complaints against Coastal Ear, Nose & Throat after a patient alleged that the practice failed to provide medical records in response to access requests submitted on December 15, 2020 and January 8, 2021. HHS said Coastal ENT did not respond until May 20, 2021. The practice agreed to pay $20,000 under a resolution agreement and corrective action plan.

For operations teams, a request cannot sit in a queue without ownership. Each intake channel needs a timestamp, a responsible team member, and an escalation rule when the request remains unresolved.

Erie County Medical Center: Completeness Matters

In the Erie County Medical Center Corporation case, HHS said the complainant alleged that ECMCC failed to provide her husband with a complete copy of his medical records. During the investigation, ECMCC provided the complete copy. HHS still stated that the investigation established failure to timely provide a complete copy. ECMCC agreed to pay $50,000.

The case reinforces that timeliness and completeness belong together. A response that excludes records in scope can create the same practical failure as a late response. The individual still does not have the access HIPAA requires.

Fallbrook Family Health Center: Smaller Practices Are Not Exempt

HHS said Fallbrook Family Health Center failed to provide timely access to medical records and paid $30,000 to settle a potential Right of Access violation.

Fallbrook reinforces that size does not remove the obligation. Smaller practices still need a repeatable release process. An informal process is hard to defend once OCR asks for proof.

Use these cases as a quick screen for your own process. Can the team show receipt, ownership, scope, delivery, and the reason for any delay without chasing staff memories? If not, treat the gap as an audit-readiness gap, not a paperwork issue.

What Are Providers Misdiagnosing?

Teams often treat Right of Access problems as responsiveness issues. Staff were busy, vendors were slow, requests were confusing, or patients used channels no one expected. Those facts may explain the delay internally, but they rarely create a strong defense.

The stronger diagnosis is workflow governance. Compliance leaders need to answer five practical questions:

  1. Do all intake channels feed one queue?
  2. Does each request have an owner?
  3. Are extensions documented?
  4. Do partial productions stay open?
  5. Do vendor handoffs remain visible?

That is why Right of Access compliance should not be limited to training materials. It belongs in queue design, role assignment, status definitions, exception handling, vendor oversight, fee controls, and audit trail documentation. The workflow turns the rule into daily practice or reveals that the policy is not being followed.

Where Do Providers Miss the 30-Day Clock?

HHS guidance says the 30-day clock starts when the covered entity receives the request. Delays caused by a business associate, format negotiation, or old and archived records still consume the allotted time. HHS also describes the deadline as an outer limit, not an operating target.

Most missed deadlines start in intake, verification, or fulfillment. For example:

  • A request lands in a fax queue, office inbox, portal message, or front desk pile without being logged.
  • Staff pause the request because identity or authority is unclear, but no one tracks the pause or escalates it.
  • Records sit across systems, locations, or vendors, and ownership of the complete response gets blurry.

That is often the daily frustration behind the compliance risk: people may be working the request, but leaders still cannot see whether the full response is on track.

Verification is necessary, but it cannot become a hidden delay. A strong healthcare identity verification workflow defines the required proof, timing, and reviewer.

When Do Fees and Format Refusals Become Violations?

Speed alone is not enough. The response must also match the rule’s fee and format requirements.

Covered entities must provide access in the form and format requested if readily producible. If the requested form and format is not readily producible, the provider must agree on another readable option with the individual. For electronic records, that means a paper-only default can create risk when an electronic copy is readily producible.

Fees need the same control. HHS says the HIPAA Privacy Rule permits only a reasonable, cost-based fee. The fee can include certain labor, supply, and postage costs tied to providing the copy.

Inconsistency creates the exposure. Manual fee calculations, outdated state schedules without HIPAA review, and paper defaults can all undermine an otherwise timely response.

What Records Are Usually in Scope?

The Right of Access rule applies to protected health information in a designated record set. For providers, that usually includes medical records and billing records maintained by or for the provider. It can also include other decision-making records about the individual. Teams that treat the clinical chart as the whole record risk underproduction.

This matters when billing systems, imaging platforms, legacy records, or outside-provider documents sit outside the main EHR. Our article on whether billing records are part of the medical record under HIPAA explains why designated record set mapping matters.

The exclusions are narrow. They include psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding. The rule also allows for certain reviewable and unreviewable grounds for denial. Any denial should be documented, written in plain language, and limited to the specific information that can lawfully be withheld.

How Should HIM Leaders Pressure-Test the Workflow?

A useful self-diagnostic starts with the evidence trail. Ask the team to pull three recent patient access requests at random and reconstruct the file without interviewing the person who handled them.

Can the file show when the request arrived and who owned it? Can it show how identity or authority was verified, what records were in scope, whether anything was still outstanding, how the fee was calculated, what format was requested, when access was delivered, and whether the request fully closed? If the answer depends on someone’s memory, the workflow is not audit-ready.

The next test is exception handling. Review the oldest open requests, requests with partial production, requests routed through a vendor, and requests that needed a denial or extension. Those are the places where a clean policy often separates from messy reality.

When the team cannot reconstruct a request without relying on memory, the issue sits in workflow design. That is the pain leaders need to surface early: the team may have worked hard, but the file still does not tell the story. HIM and compliance leaders should review intake, ownership, escalation, scope control, and proof of delivery before the next complaint turns the gap into evidence.

How Should Providers Build a Defensible Release Workflow?

A defensible workflow does not rely on memory, spreadsheets, or after-the-fact reconstruction. It creates proof while the work is happening.

That starts with request classification. Patient Right of Access requests should be handled separately from HIPAA authorization requests because the legal basis, fee rules, timing, and requestor rights are not identical.

A basic workflow should include:

1. Centralized intake that timestamps every request, regardless of channel. 

2. Request classification that identifies patient access, personal representative access, authorization, subpoena, payor request, or other release type. 

3. Identity and authority verification with documented criteria and escalation rules. 

4. Scope mapping to the designated record set, including records outside the core EHR when they are in scope. 

5. Deadline controls for the 30-day clock, one permitted extension, and any stricter state-law deadline. 

6. Fee and format controls that reflect HIPAA’s cost-based limits and the requestor’s chosen delivery method. 

7. Final documentation that shows what was released, when, to whom, by whom, and under what basis.

These controls should reduce paperwork, not add to it. The release process should produce evidence while staff do the work. Software can support that operating model. Our guide to ROI software for medical records requests breaks down the core workflow requirements.

How ChartRequest Helps Providers Stay Audit-Ready

ChartRequest helps healthcare teams move release of information work out of disconnected queues and into a more controlled operating model. We focus on the operational layer that Right of Access enforcement keeps exposing. That includes intake, workflow consistency, follow-up, fulfillment visibility, and documentation.

For providers, the goal is simple: every request should have an owner, a status, a deadline, a scope decision, and a record of completion. That gives HIM and compliance leaders a better way to manage daily work and creates a cleaner evidentiary trail for complaints, audits, and internal reviews.

A Right of Access workflow should not depend on the most experienced staff member remembering the exception. It should give the team a repeatable path and make the compliant action easy to take, monitor, and prove.

If your access workflow still depends on fax queues, shared inboxes, manual reminders, or after-the-fact documentation, delay is only part of the exposure. Schedule a release of information workflow review with ChartRequest to find where requests lose ownership, deadline control, scope clarity, or audit documentation.

Frequently Asked Questions

What Is a Right of Access Violation?

A Right of Access violation occurs when a covered entity fails to provide timely access to protected health information. The rule applies to an individual or personal representative and covers PHI in a designated record set, unless a narrow HIPAA exception applies. Common violations include missed deadlines, incomplete records, improper denials, excessive fees, and refusal to provide a readily producible requested format.

What Are Common Right of Access Violation Examples?

Common Right of Access violation examples include missed 30-day responses, ignored patient requests, and incomplete designated record set productions. Other examples include weak vendor oversight, excessive fees, and refusal of readily producible electronic access.

How Long Does a Provider Have to Respond to a Medical Records Request?

Under HIPAA, a covered entity must act on a Right of Access request no later than 30 days after receipt. One 30-day extension is permitted. The covered entity must give the individual a written explanation for the delay and a completion date. State law may require a faster response.

Can a Provider Deny a Right of Access Request?

Yes, but only under limited circumstances. HIPAA excludes psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a legal proceeding. Other denial grounds depend on the facts and may require review rights. The provider should document the basis for the denial. It should still release any other requested information that can be provided.

What Documentation Helps Defend a Right of Access Workflow?

Helpful documentation includes the request receipt date, intake channel, verification record, scope decision, deadline, fee calculation, delivery method, and production date. It should also include any extension notice, denial rationale, and final proof of what was released. The documentation should show how the workflow operated in the specific request, beyond what the policy says.

Facebook
Twitter
LinkedIn
Stay Updated
Subscribe
100% Privacy. No spam guaranteed.