Concentra Inc. Pays $112,500 to Settle HIPAA Right of Access Violations

HHS Office for Civil Rights announced a $112,500 settlement with Concentra, Inc., a national occupational health services company, to resolve potential violations of the HIPAA Right of Access Rule. OCR’s Right of Access Initiative, launched in 2019, continues to hold covered entities accountable for failing to provide patients timely and affordable access to their own health records.

Under HIPAA’s Right of Access provision, covered entities must provide patients with access to their PHI within 30 days of a request, in the format requested when readily producible. Concentra failed to meet these requirements, triggering OCR’s investigation and the resulting financial penalty.

Key issues identified:

• Failure to provide a patient timely access to requested medical records
• Non-compliance with the 30-day response requirement
• Inadequate policies and procedures around patient access requests

This settlement is one of more than 50 enforcement actions OCR has taken under its Right of Access Initiative, which has resulted in settlements ranging from $3,500 to $240,000 across a wide range of covered entities.

The broader picture: Right of Access enforcement shows no signs of slowing down under any administration. Healthcare organizations need clear, documented workflows for handling patient record requests — and secure systems for transmitting records once approved. AXIS CloudSync’s secure file sharing capabilities provide a HIPAA-compliant channel for delivering patient records electronically without sacrificing security.