This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of patient privacy and data protection. Among its most patient-centric provisions is the Right of Access rule, which guarantees individuals timely access to their medical records. This right is not just a regulatory requirement—it’s a fundamental principle of patient empowerment, enabling individuals to make informed decisions about their health.

In recent years, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has intensified its enforcement of this rule, signaling a clear message: delays and noncompliance will not be tolerated. The latest wave of enforcement actions in 2025 underscores OCR’s commitment to safeguarding patient rights and holding providers accountable.[1]

The Right of Access Rule: A Quick Refresher

Under HIPAA’s Privacy Rule, covered entities—healthcare providers, health plans, and their business associates—must provide individuals with access to their protected health information (PHI) within 30 days of receiving a request. A single 30-day extension is permitted if the entity provides a written explanation for the delay.[2]

Key requirements include:

• Timeliness: Records must be delivered within 30 days (or 60 days with an extension).
• Format: Information should be provided in the requested form and format if readily producible.
• Cost: Fees must be reasonable and cost-based, covering only labor, supplies, and postage.
• Exceptions: Limited circumstances allow denial, such as risks to life or safety.

Failure to meet these standards can trigger patient complaints, OCR investigations, and civil monetary penalties.

OCR’s Enforcement Priorities

Since launching the Right of Access Initiative in 2019, OCR has made this rule a top enforcement priority. The initiative aims to ensure that patients are not subjected to unreasonable delays or excessive fees when accessing their health records.[3]

Recent enforcement trends reveal:

• Escalating penalties: OCR has imposed fines ranging from modest settlements to six-figure civil monetary penalties.
• Focus on repeat offenders: Entities with multiple complaints or prolonged delays face harsher consequences.
• Accountability for business associates: Covered entities remain responsible even when delegating record requests to third-party vendors.

Recent Enforcement Actions: A Wake-Up Call

In March 2025, OCR announced its 53rd Right of Access enforcement action, imposing a $200,000 civil monetary penalty against an academic medical center for failing to provide timely access to a patient’s personal representative. Despite repeated requests beginning in April 2019, the delivery of the complete records did not occur until August 2021—well beyond the regulatory timeframe.[4]

Other notable actions include:

• 2024: Penalties of $170,000 against a dental practice and a mental health program for delayed access.
• 2023: Thirteen enforcement actions totaling $4.18 million, nearly doubling the previous year’s penalties.
• 2022: Settlements with multiple small practices, demonstrating that no entity is too small for scrutiny.

Penalty Structure and Financial Risks

HIPAA violations fall into four tiers based on culpability, which are adjusted annually:

1. Lack of knowledge: $145–$73,011 per violation.
2. Reasonable cause: $1,461–$73,011 per violation.
3. Willful neglect (corrected within 30 days): $14,602–$73,011 per violation.
4. Willful neglect (not corrected): $73,011–$2,190,294 per violation.

Annual caps apply per identical provision, but penalties can escalate quickly when multiple violations occur.[5]

Why Enforcement Is Intensifying

Several factors drive OCR’s aggressive stance:

• Patient empowerment: Timely access supports better health outcomes and informed decision-making.
• Digital health evolution: As interoperability initiatives expand, delays in record access undermine broader policy goals.
• Information blocking crackdown: OCR’s efforts align with the 21st Century Cures Act, which prohibits practices that interfere with access, exchange, or use of electronic health information.[6]

Compliance Imperatives for Providers

To avoid costly penalties and reputational damage, covered entities should:

• Audit current processes: Review policies for handling access requests and verify compliance with the 30-day rule.
• Train staff: Ensure frontline employees understand HIPAA requirements and escalation protocols.
• Monitor vendors: Review business associate agreements and establish oversight mechanisms for business associates managing record requests.
• Leverage technology: Implement electronic portals and automated workflows to expedite record delivery.
• Document everything: Maintain clear records of requests, responses, and any extensions granted.

Looking Ahead: Policy and Practice

OCR’s enforcement trajectory suggests continued vigilance. Proposed updates to the HIPAA Privacy Rule may shorten response times to 15 days, reflecting a push for faster access in a digital health ecosystem.[7]

Conclusion

The message from OCR is unequivocal: patient access is non-negotiable. As enforcement ramps up, healthcare organizations must prioritize compliance—not only to avoid penalties but to uphold the trust and autonomy of the patients they serve. By embracing proactive strategies and leveraging technology, providers can remain compliant and reinforce their commitment to patient-centered care.

Is your organization ready for stricter enforcement? Start by reviewing your access policies today. Invest in staff training, technology solutions, and vendor oversight to ensure compliance—and protect your patients’ rights.

Contact us

For further details or additional information, please contact Noreen Vergara or another member of the Husch Blackwell Healthcare Privacy and Security Work Group.

---

[1] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html & https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/by-issue/index.html#access.

[2] https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

[3] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

[4] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

[5] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

[6] https://healthit.gov/information-blocking/

[7] https://www.federalregister.gov/documents/2021/01/21/2021-00784/proposed-modifications-to-the-hipaa-privacy-rule