OCR’s 54th HIPAA Right of Access Enforcement Action: What Healthcare Providers Should Learn from the Concentra Settlement

By Rachel Klugman Seeger, Founder and Principal, North Country Communications

The HHS Office for Civil Rights (OCR) has quietly announced its 54th settlement under the HIPAA Right of Access Enforcement Initiative, reinforcing once again that timely access to medical records is not optional. It is a core patient right and a foundational requirement of the HIPAA Privacy Rule.

This latest settlement involves Concentra, Inc., a major occupational health services provider headquartered in Texas. OCR’s investigation found that Concentra failed to provide an individual with access to their protected health information (PHI) within the required 30‑day timeframe. Instead, the individual waited 399 days for their records.

Some may recall that this is Concentra’s second enforcement action with OCR. The first, announced in 2014, involved a stolen laptop containing unsecured electronic PHI and resulted in a $1.7 million settlement and a robust corrective action plan. While the earlier case centered on Security Rule failures, this new action highlights a different but equally critical compliance obligation: honoring patients’ right to access their own health information.

What Happened in the Latest Case

OCR’s investigation revealed several key issues:

• The individual’s initial request for access went unfulfilled for more than a year.
• Concentra’s business associate issued an invoice for $82.57 for the records — a fee the individual disputed.
• Months later, the business associate reduced the fee to $6.50 and finally mailed the paper records on March 21, 2019.

OCR and Concentra ultimately resolved the matter before an administrative hearing. Concentra agreed to pay $112,500. Learn more in the Notice of Proposed Determination and Settlement Agreement:

• Notice of Proposed Determination: https://www.hhs.gov/sites/default/files/ocr-concentra-npd.pdf
• Settlement Agreement: https://www.hhs.gov/sites/default/files/ocr-concentra-settlement-agreement.pdf

As OCR Director Paula Stannard emphasized in the agency’s December 16, 2025, press release, “Individuals should not have to make multiple requests and file a complaint with OCR to gain access to their health information.”

Why This Matters, Even When Only One Patient Is Affected

This case underscores a pattern we continue to see across OCR’s Right of Access Initiative: Even isolated failures can trigger enforcement.

The size of the organization doesn’t matter. The number of affected individuals doesn’t matter. What matters is whether a patient’s lawful request for their own medical records is honored promptly, at a reasonable, cost‑based fee, and without unnecessary barriers.

What Providers Should Do Now

Healthcare organizations — from small practices to national systems — should take this as a reminder to:

• Review and update their HIPAA Right of Access policies and procedures
• Audit turnaround times for access requests
• Standardize reasonable, cost‑based fees
• Ensure business associates follow your access requirements
• Train staff on patient rights and escalation pathways

The legal fees, operational disruption, and regulatory scrutiny simply aren’t worth the risk. More importantly, honoring access rights is central to patient trust. Want to learn more about how we can help bolster your Right of Access processes in your organization? Schedule your free, confidential 30‑minute consultation today at North Country Communications.