Concentra Hit With $112,500 HIPAA Penalty: What Healthcare Providers Must Know About the 30-Day Access Rule

OCR’s 54th Right of Access enforcement action sends clear warning to healthcare providers: Patient record delays come with steep consequences

The Violation: A Year-Long Wait for Basic Medical Records

The case began when a patient made his first request for his health information in February 2018. Despite making six separate requests over the following months, he didn’t receive his records until March 2019—more than a year after his initial attempt. This egregious delay violated HIPAA’s fundamental requirement that patients receive their health information within 30 days.

OCR Director Paula M. Stannard made the agency’s position crystal clear: “Individuals should not have to make multiple requests and file a complaint with OCR to gain access to their health information.”

The settlement amount of $112,500 came after years of legal proceedings. OCR issued a Notice of Proposed Determination in June 2021, proposing civil money penalties. Concentra requested an administrative hearing, but ultimately settled before the hearing took place in May 2025.

Understanding HIPAA’s 30-Day Access Standard

The HIPAA Privacy Rule establishes strict timelines for patient access requests that every healthcare provider must follow:

Core Timeline Requirements

30 calendar days maximum: Healthcare providers must respond to patient access requests within 30 days of receiving them. This isn’t a suggestion—it’s a legal requirement.

One 30-day extension permitted: In limited circumstances, providers can extend the deadline by an additional 30 days, but only if they notify the patient in writing within the initial 30-day period, explaining the reason for the delay and providing a new completion date.

Total maximum: 60 days: Even with an extension, providers have at most 60 days to fulfill an access request.

When the Clock Starts Ticking

The 30-day countdown begins the moment a covered entity receives the request—not when they forward it to a business associate or when they finish verifying the patient’s identity. Any delays in internal processing eat into that 30-day window.

Technology Raises Expectations

OCR has made clear that providers using electronic health records should respond much faster than the 30-day maximum. Patients reasonably expect near-instant access when providers have digital systems in place. Organizations with EHR systems that delay responses face heightened scrutiny during investigations.

Recent Settlements Show OCR Means Business

The Concentra settlement is part of a broader enforcement wave targeting patient access violations. Recent actions demonstrate OCR’s commitment to protecting patient rights:

2024-2025 Notable Settlements

November 2024: Rio Hondo Community Mental Health Center paid $100,000 for failure to provide timely access, marking OCR’s 51st Right of Access enforcement action.

August 2024: American Medical Response faced a $115,200 civil monetary penalty after taking 370 days to respond to a single patient request for records maintained in their EHR system.

April 2024: Hackensack Meridian Health received a $100,000 penalty for denying a personal representative access to a resident’s medical records.

March 2024: Phoenix Healthcare initially faced a $250,000 proposed penalty, ultimately settling for $35,000 after taking 323 days to fulfill a request.

These settlements reveal clear patterns in OCR’s enforcement priorities and the types of violations that trigger investigations.

Seven Critical Steps for Right of Access Compliance

Healthcare providers can avoid becoming the next enforcement statistic by implementing these essential practices:

1. Establish Clear Intake Channels

Create standardized methods for receiving access requests—patient portals, email, mail, fax, and in-person. Train front desk staff to immediately recognize and document these requests, as the 30-day clock starts the moment any part of your organization receives them.

2. Implement Tracking Systems with Automated Alerts

Deploy request management systems that automatically track deadlines and send escalating reminders as the 30-day mark approaches. Calendar reminders at day 7, day 15, and day 25 help prevent deadline violations.

3. Assign Clear Ownership

Designate specific staff members responsible for processing access requests. Confusion about ownership leads to delays. Consider appointing a Privacy Officer or Records Coordinator who oversees all requests and serves as the point person for escalations.

4. Train All Workforce Members

Don’t limit HIPAA training to your compliance team. Front desk staff, nurses, IT personnel, and billing departments all need to understand patient access rights and their role in the process. Staff who handle requests must know they cannot delay access for reasons like unpaid bills or pending litigation.

5. Streamline Identity Verification

Develop efficient identity verification procedures that don’t create unnecessary delays. OCR expects verification processes to be reasonable and not burdensome. Document your verification process and apply it consistently.

6. Communicate Proactively About Delays

If you need to invoke the 30-day extension, notify the patient in writing before the initial 30-day period expires. Explain the specific reason for the delay and provide the exact date when you’ll provide the records. Generic delay notices won’t satisfy HIPAA requirements.

7. Audit Your Compliance Regularly

Conduct quarterly reviews of all patient access requests. Track average response times, identify bottlenecks, and address systemic issues before they trigger complaints. Regular audits demonstrate good faith compliance efforts and help catch problems early.

What Providers Can and Cannot Do

Permitted Actions

• Verify the identity of requestors and the authority of personal representatives
• Provide records in alternative formats if the requested format isn’t readily producible
• Charge reasonable, cost-based fees limited to labor for copying, supplies, and postage
• Direct the patient to faster access methods like patient portals if available

Prohibited Actions

• Requiring in-person pickup when other delivery methods are requested
• Denying access due to unpaid bills or other financial disputes
• Forcing patients to sign up for a patient portal as a condition of receiving records
• Delaying responses while verifying insurance coverage or resolving billing issues
• Ignoring requests from personal representatives with proper authority
• Charging per-page fees for electronic health information

The Business Case for Compliance

Beyond avoiding six-figure penalties, timely patient access creates tangible business benefits. Patients who easily access their records report higher satisfaction scores, are more engaged in their care, and file fewer complaints. Efficient record request processes reduce staff time spent on escalations and OCR inquiries.

Organizations that view patient access as a customer service opportunity rather than a compliance burden often see improved patient retention and positive online reviews. In an era where patient experience drives healthcare consumerism, record access represents a low-cost way to differentiate your practice.

Why OCR Continues Prioritizing Right of Access

The Right of Access Initiative launched during the first Trump Administration and continues with bipartisan support. OCR Director Stannard’s statement in the Concentra case reinforces that this enforcement priority isn’t changing. Patients empowered with their health information make better healthcare decisions, catch errors in their records, and coordinate care more effectively.

OCR has now completed 54 enforcement actions specifically targeting access violations, collecting millions in penalties. The agency shows no signs of slowing down. In fact, with advancing technology making record production easier than ever, OCR expects faster compliance, not slower.

What to Do If You Receive an OCR Inquiry

If OCR contacts your organization about a patient access complaint:

1. Respond promptly and completely to all information requests
2. Document everything, including when you received the original request and what actions you took
3. Provide the records immediately if you haven’t already done so
4. Consider engaging healthcare compliance counsel to navigate the investigation
5. Review your policies and procedures to identify and correct systemic issues
6. Be prepared to demonstrate your good faith compliance efforts

OCR often resolves cases through corrective action plans rather than penalties when providers demonstrate genuine compliance efforts and promptly address violations. Organizations that cooperate fully and implement meaningful corrective measures typically achieve better outcomes.

The Bottom Line

The Concentra settlement sends an unmistakable message: healthcare providers cannot ignore or delay patient access requests. The 30-day timeline isn’t flexible, and claiming you’re “too busy” or that your records are “hard to access” won’t prevent enforcement action.

Every healthcare provider should treat this settlement as a wake-up call to audit their patient access procedures. Review pending requests, update policies, train staff, and implement tracking systems before an access violation becomes your organization’s next costly lesson in HIPAA compliance.

Patient access to medical records isn’t just a HIPAA requirement—it’s a fundamental healthcare right. Organizations that embrace this principle and prioritize timely access will avoid penalties while earning patient trust and loyalty.