medcomply.ai
News
OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security RuleOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security Rule

OCR Enforcement

Concentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months

TL;DR

OCR settled with Concentra Inc. in December 2025 for $112,500 — OCR's 54th Right of Access enforcement action — after a patient submitted six records requests beginning in February 2018 and did not receive his health information until March 2019, more than 13 months later. The case required seven years of investigation and an administrative law judge proceeding before resolving. It is a stark illustration of the costs of failing to take records requests seriously.

OCR settled with Concentra Inc. in December 2025 for $112,500 — OCR's 54th Right of Access enforcement action — after a patient submitted six records requests beginning in February 2018 and did not receive his health information until March 2019, more than 13 months later. The case required seven years of investigation and an administrative law judge proceeding before resolving. It is a stark illustration of the costs of failing to take records requests seriously.

OCR's 54th Right of Access enforcement action settled with Concentra Inc. for $112,500 after a patient had to make six separate records requests over more than a year before receiving access to his health information.

medcomply.ai editorial teamPublished May 14, 2026Updated May 14, 20266 min read

Some HIPAA enforcement cases are complicated. The Concentra case is not. A patient asked for his records. He asked six times. He waited more than a year. He filed a complaint with OCR. Seven years later Concentra paid $112,500.

That is the entire story — and it is one that plays out in healthcare organizations every week.

What happened

OCR announced a settlement with Concentra Inc., an occupational health services provider headquartered in Texas, on December 16, 2025. The settlement resolved an investigation of a complaint alleging a failure to provide timely access to an individual's protected health information. The enforcement action stems from an investigation that OCR initiated after receiving a complaint that an individual was not given timely access to his health information, despite making six requests beginning in February 2018. The individual did not receive access to his health information until March 2019, more than a year after his initial request.

OCR's investigation determined that Concentra failed to take timely action in response to the individual's right of access requests in accordance with the HIPAA Privacy Rule's right of access standard.

The timeline of the case is instructive:

  • February 2018 — Patient makes first records request
  • March 2019 — Patient finally receives access, 13+ months later
  • 2019 — Patient files complaint with OCR
  • June 29, 2021 — OCR issues Notice of Proposed Determination proposing a civil money penalty
  • 2021-2025 — Concentra requests administrative law judge hearing; case proceeds
  • May 5, 2025 — Parties resolve prior to administrative hearing; Concentra pays $112,500
  • December 16, 2025 — OCR publicly announces the settlement as its 54th Right of Access enforcement action

This settlement marks OCR's 54th HIPAA Right of Access enforcement action to advance individual access to medical records.

The six requests problem

The most striking detail in this case is not the penalty amount or the resolution timeline — it is the six requests.

Under HIPAA a covered entity must respond to a written records request within 30 days. One 30-day extension is permitted with written notice to the patient. That is the legal framework: 30 days, with one extension, for a total maximum of 60 days.

45 CFR §164.524(b)(2)

In the Concentra case a patient made six separate requests over 13 months — suggesting that each request was either ignored, lost, or improperly processed, triggering the patient to try again. This is not a close legal question about the scope of the right of access or the permissible grounds for denial. It is a process failure — a covered entity that did not have a functioning records request system.

What OCR's Right of Access Initiative has become

OCR launched the Right of Access Initiative in 2019 with a stated goal of enforcing patients' fundamental right to access their own health information. Six years and 54 enforcement actions later the initiative has become one of OCR's most active and sustained enforcement programs.

The pattern across those 54 cases reveals consistent themes: patients who had to request records multiple times, excessive fees that discouraged access, responses that exceeded the 30-day deadline without proper extension notices, and outright denials without legally recognized grounds.

Penalties across the 54 cases have ranged from $3,500 to $240,000 — with most falling in the $20,000 to $100,000 range. The $112,500 Concentra settlement is on the higher end, reflecting the egregious nature of a 13-month delay and six separate requests.

Warning

OCR has been explicit that Right of Access complaints are one of the most common triggers for HIPAA investigations. A single patient complaint — one person, one letter to OCR — is sufficient to open a full investigation. Your records request process is not a backoffice administrative matter. It is a live enforcement risk.

The seven-year investigation cost

The Concentra case also illustrates a less-discussed cost of HIPAA enforcement: the investigation itself.

OCR initiated this investigation in 2019. The case was not resolved until May 2025 — six years later. During that period Concentra was managing an active OCR investigation, responding to document requests, and eventually engaging in administrative law judge proceedings before agreeing to settle prior to the hearing.

The legal costs of defending a multi-year OCR investigation — attorney fees, compliance consultant fees, staff time, document production — frequently exceed the settlement amount. An organization that settles for $112,500 may have spent significantly more than that on the defense.

This is the math that makes proactive right of access compliance investment straightforward: a functioning records request process costs far less than six years of OCR investigation management.

Building a records request process that works

The Concentra case is a systems failure, not a knowledge failure. The legal requirement — respond within 30 days, charge only reasonable fees, do not deny without legal grounds — is not complicated. What breaks down is the operational process for receiving, tracking, and fulfilling requests.

Every covered entity needs four things:

1. A designated intake point. Every records request — regardless of how it arrives (in person, by mail, by phone, through a patient portal) — must be captured in a central log the moment it is received. The 30-day clock starts at receipt, not at the point someone processes the request.

2. A deadline tracking system. Whether it is a spreadsheet, a ticketing system, or a dedicated compliance platform, every pending records request must have a visible deadline that is actively monitored. Requests cannot fall through the cracks.

3. A clear escalation path. When a request approaches its deadline without being fulfilled, there must be an escalation path — someone who is alerted and responsible for ensuring the request is completed or that a proper extension notice is sent.

4. Documentation of fulfillment. Keep proof of every response: what was sent, when, to whom, and how. If OCR investigates, you need to be able to produce this documentation for every request in the relevant period.

The Concentra case is simple: a patient asked for his records six times and waited 13 months. The right of access is one of HIPAA's clearest requirements and one of OCR's most actively enforced. If your practice does not have a documented, tracked process for responding to records requests within 30 days, that is your most immediate compliance gap to close.

Sources & citations

  • HHS OCR — Concentra Settlement December 16 2025Open
  • 45 CFR §164.524 — Right of AccessOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What is Concentra and why was it subject to HIPAA?
Concentra Inc. is an occupational health services provider headquartered in Texas, operating urgent care and occupational medicine clinics across the United States. As a healthcare provider that creates, receives, and maintains protected health information, Concentra is a HIPAA covered entity subject to the full Privacy Rule including the right of access.
How many times did the patient have to request his records?
The patient made six separate records requests beginning in February 2018. He did not receive access to his health information until March 2019 — more than 13 months after his first request. HIPAA requires covered entities to respond to records requests within 30 days of receipt.
Why did this case take so long to resolve?
OCR initiated the investigation after receiving the patient's complaint and issued a Notice of Proposed Determination proposing a civil money penalty on June 29, 2021. Concentra subsequently requested a hearing before an administrative law judge — a process that can take years. The parties resolved the case on May 5, 2025, prior to the administrative hearing, with a settlement of $112,500.
What is OCR's Right of Access Initiative?
OCR launched the Right of Access Initiative in 2019 to enforce patients' right to timely, low-cost access to their medical records under 45 CFR §164.524. The initiative has resulted in 54 enforcement actions as of December 2025. Investigations are typically triggered by individual patient complaints. A single complaint is sufficient to open an investigation.
What does a covered entity need to do when a patient requests their records?
The covered entity must respond within 30 days of a written request. One 30-day extension is permitted with written notice to the patient before the initial deadline expires. Records must be provided in the format requested if reasonably producible. Fees must reflect only the reasonable cost of producing the records. Denial is permitted only in narrow circumstances enumerated in 45 CFR §164.524(a)(2) and (a)(3).

Related intelligence

OCR Enforcement

Rehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action

4 min read

OCR Enforcement

Warby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know

6 min read

OCR Enforcement

OCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List

6 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.