HHS OCR Settles HIPAA Right of Access Violation with Concentra

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), announced a settlement with Concentra, Inc., an occupational health service provider based in Texas, for alleged violations of the HIPAA Privacy Rule concerning timely access to protected health information (PHI). This enforcement marks the 54th action under OCR's Right of Access Initiative which aims to uphold the HIPAA mandate requiring healthcare providers to furnish individuals or their personal representatives with access to their medical records within 30 days, with a permissible extension of an additional 30 days. OCR's investigation found that Concentra delayed responding to an individual's multiple requests, which spanned over a year despite six separate attempts to obtain their medical records. The settlement was reached following a Notice of Proposed Determination and a planned administrative hearing, resulting in a $112,500 payment by Concentra to resolve the matter. This enforcement underscores the OCR's ongoing commitment to ensuring compliance with HIPAA’s Privacy Rule, which sets national standards for safeguarding medical records and provides patients and representatives enforceable rights to access their health information promptly. The OCR provides guidance on HIPAA’s privacy provisions, including specific aspects like parental access to minors' records, emphasizing the legal obligation of covered entities to facilitate timely and reasonable access. Healthcare organizations and payers should note this compliance focus given the implications for regulatory risk management and operational practices related to patient data access under HIPAA standards.