medcomply.ai
News
OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security RuleOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security Rule

OCR Enforcement

OCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List

TL;DR

As of early 2026, OCR has settled or imposed civil money penalties in more than 50 HIPAA cases under its Risk Analysis Initiative and Right of Access Initiative combined. OCR has now added a third enforcement focus: parental access to minor patient records. Healthcare organizations must understand all three active enforcement priorities and ensure their policies and staff training address each one.

As of early 2026, OCR has settled or imposed civil money penalties in more than 50 HIPAA cases under its Risk Analysis Initiative and Right of Access Initiative combined. OCR has now added a third enforcement focus: parental access to minor patient records. Healthcare organizations must understand all three active enforcement priorities and ensure their policies and staff training address each one.

OCR has now resolved more than 50 HIPAA enforcement actions in 2026 under its Risk Analysis and Right of Access initiatives. A new enforcement focus on parental access to minor records adds a third priority area every practice must understand.

medcomply.ai editorial teamPublished May 11, 2026Updated May 11, 20266 min read

When OCR launches an enforcement initiative, the question is always whether it will sustain momentum or quietly fade. The answer in 2026 is clear: OCR is not slowing down. It is adding new targets.

The 50-action milestone

As of January 2026, OCR has settled or imposed civil money penalties in more than 50 HIPAA violation cases under initiatives that include risk analysis and the Right of Access enforcement.

This figure represents two sustained, parallel enforcement programs running simultaneously — and now a third is being added. The volume of enforcement activity in 2026 is not a spike. It reflects an institutionalized enforcement posture that OCR has built over several years and shows no signs of scaling back.

OCR's recent initiatives go beyond merely checking that a risk analysis exists. Instead, OCR now evaluates risk management and mitigation — meaning that how organizations act on those analyses matters. Regulators are increasingly associating weak execution and stagnant risk remediations with lapses that lead to breaches and unauthorized disclosures.

Three active enforcement initiatives — not two

Most compliance professionals are now aware of OCR's two primary enforcement initiatives. What is less understood is that a third has been added in 2026.

Initiative 1 — Risk Analysis Initiative

Now expanded to include risk management, this initiative investigates whether organizations have conducted documented, enterprise-wide risk analyses and — critically — whether they have actually acted on the findings. OCR has made clear it is no longer satisfied with a risk analysis document sitting in a filing cabinet. It wants evidence of remediation.

45 CFR §164.308(a)(1)

Initiative 2 — Right of Access Initiative

Launched in 2019, this initiative enforces patients' right to timely, affordable access to their medical records. OCR enforcement continues to emphasize timely patient access and demonstrable documentation of access requests and turnaround times. Practices must track every records request, respond within 30 days, and charge only cost-based fees.

45 CFR §164.524

Initiative 3 — Parental Access to Minor Records (new in 2026)

In 2026, regulators are also emphasizing parental access to minor records and updated rights enforcement, making this an area of significant enforcement attention.

This is the newest and least understood of OCR's enforcement priorities. Many covered entities — particularly pediatric practices, adolescent behavioral health providers, and school health clinics — have received conflicting guidance on when parents can and cannot access their minor children's records. OCR is now actively investigating complaints in this area.

Understanding the parental access rules

Under HIPAA, parents are generally the personal representatives of their unemancipated minor children — meaning they have the same rights to access their child's PHI as the child would have themselves.

45 CFR §164.502(g)

However there are three narrow exceptions where a covered entity may — and in some cases must — deny parental access:

Exception 1 — Minor consented to care independently: When state or other applicable law permits a minor to consent to a particular healthcare service without parental consent, and the minor consents to that service, the parent is not automatically the personal representative for that service. Common examples include STI treatment, substance use disorder treatment, and mental health services in states where minors have independent consent rights.

Exception 2 — Court-ordered confidentiality: When a court has granted the minor authority to consent or has ordered that the parent not have access.

Exception 3 — Professional judgment: When a licensed healthcare professional determines, in their professional judgment, that providing access to the parent would endanger the minor — for example, in suspected abuse situations.

Outside these three exceptions, denying a parent access to their minor child's records is a HIPAA violation. And OCR is now actively enforcing this.

Warning

State law interacts significantly with parental access rights. In states with broad minor consent laws — including California, New York, and New Jersey — the scope of services for which parents cannot access records is larger than in states with narrower minor consent laws. Your policies must reflect your specific state's law.

What all three initiatives have in common

OCR is entering 2026 with an assertive posture focused on provable compliance, timely patient access, and demonstrable security maturity. Expect a continued emphasis on documentation that shows what you implemented, when, and how risks were reduced — not just policies on paper.

The through-line across all three initiatives is documentation and demonstrability. OCR is not asking whether you have good intentions. It is asking whether you can prove what you did, when you did it, and what the outcome was.

For the Risk Analysis Initiative: can you produce a current risk analysis and a risk management plan showing what you did about each finding?

For the Right of Access Initiative: can you produce a log of every records request, when it was received, when it was fulfilled, and what fee was charged?

For the Parental Access Initiative: can you produce your written policies on parental access to minor records, your state law analysis supporting those policies, and documentation of how individual access decisions were made?

The evidence binder concept

Assemble your evidence binder — organized by requirement, date-stamped, and showing who approved each control and when it went live. When OCR asks, you can hand over a ready evidence binder organized by requirement.

This practical concept — a pre-organized collection of compliance documentation ready for OCR review — is worth implementing now rather than scrambling to assemble after an investigation opens. Your evidence binder for each initiative should include:

For Risk Analysis: the risk analysis document, the risk management plan, evidence of remediation actions taken, and dates of updates.

For Right of Access: your access request log, copies of fulfilled requests, fee schedule, and any denial letters with documented justification.

For Parental Access: your written policy on minor records access, your state law analysis, and documentation of how specific access decisions were made when the exceptions applied.

OCR now has three active enforcement initiatives running simultaneously. If your compliance program only addresses one or two of them — or if you have documentation policies but no actual documentation — you are exposed. The question OCR asks is not whether you have policies. It is whether you can prove you followed them.

Sources & citations

  • Healthcare Compliance Pros — HIPAA Risk Analysis Enforcement 2026Open
  • HHS OCR Resolution Agreements IndexOpen
  • 45 CFR §164.524 — Right of AccessOpen
  • 45 CFR §164.502(g) — Personal RepresentativesOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

How many HIPAA enforcement actions has OCR taken in 2026?
As of early 2026, OCR has settled or imposed civil money penalties in more than 50 HIPAA violation cases under its Risk Analysis Initiative and Right of Access Initiative. This represents a sustained and expanding enforcement posture, not a temporary spike.
What is OCR's new parental access enforcement focus?
OCR has added enforcement of parental access to minor patient records as a priority area in 2026. Under HIPAA, parents are generally the personal representatives of their minor children and have the right to access their children's medical records. OCR is investigating complaints where covered entities denied or delayed parental access without legal justification.
When can a covered entity deny parental access to a minor's records?
There are three situations where a covered entity may deny a parent access to a minor's records: (1) when the minor consented to care and the consent of a parent is not required under state law; (2) when a court has granted the minor authority to consent; or (3) when the covered entity's licensed healthcare professional determines in their professional judgment that providing access would endanger the minor. Outside these narrow exceptions, parental access must generally be provided.
What is the Right of Access Initiative and how long has it been running?
OCR launched the Right of Access Initiative in 2019 to enforce patients' right to timely, low-cost access to their medical records under 45 CFR §164.524. The initiative has resulted in dozens of enforcement actions against covered entities that denied access, charged excessive fees, or failed to respond within the 30-day window. It remains one of OCR's most active enforcement programs.
What triggers an OCR investigation under the Right of Access Initiative?
Most Right of Access investigations are triggered by individual complaints filed directly with OCR. A single patient complaint alleging denial of records, excessive fees, or delayed response is sufficient to open an investigation. OCR has shown it will pursue even small practices for right of access violations.

Related intelligence

OCR Enforcement

Rehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action

4 min read

OCR Enforcement

Concentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months

6 min read

OCR Enforcement

Warby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know

6 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.