HHS’ Office for Civil Rights Settles HIPAA Right of Access Investigation with Concentra, Inc.

OCR Settlement Marks OCR’s 54^th HIPAA Right of Access Enforcement Action to Advance Individual Access to Medical Records

WASHINGTON— December 16, 2025 — Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Concentra, Inc., (Concentra), an occupational health services provider headquartered in Texas, for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The settlement resolves an investigation of a complaint alleging a failure to provide timely access to an individual’s protected health information (PHI). OCR’s investigation determined Concentra failed to provide timely access to an individual’s PHI within 30 days. OCR’s settlement with Concentra marks the 54^th enforcement action in OCR’s Right of Access Enforcement Initiative, which OCR initiated during the first term of the Trump Administration.

The HIPAA Privacy Rule’s “Right of Access” provisions require that individuals or their personal representatives have timely access to health information within 30 days, with the possibility of one 30-day extension. OCR enforces the HIPAA Privacy Rule, which establishes national standards to protect individuals’ medical records; sets limits and conditions on the uses and disclosures of protected health information; and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records for a reasonable cost.

“Under the HIPAA Privacy Rule, individuals or their personal representatives have the right to timely access their medical records,” said OCR Director Paula M. Stannard. “Individuals should not have to make multiple requests and file a complaint with OCR to gain access to their health information.”

The enforcement action stems from an investigation that OCR initiated after receiving a complaint that an individual was not given timely access to his health information, despite making six requests beginning in February 2018. The individual did not receive access to his health information until March 2019, more than a year after his initial request. OCR’s investigation determined that Concentra failed to take timely action in response to the individual’s right of access requests in accordance with the HIPAA Privacy Rule’s right of access standard. On June 29, 2021, OCR issued a Notice of Proposed Determination proposing to impose a civil money penalty, and Concentra subsequently requested a hearing before an administrative law judge. On May 5, 2025, prior to an administrative hearing, OCR and Concentra resolved this enforcement action with a settlement agreement and payment by Concentra of $112,500.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/sites/default/files/ocr-concentra-npd.pdf

The Settlement Agreement may be found at: https://www.hhs.gov/sites/default/files/ocr-concentra-settlement-agreement.pdf

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of people’s health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rule can be found on OCR’s website. OCR guidance on the HIPAA Right of Access provisions, including guidance on parental access to minor children’s protected health information, can also be found on OCR’s website. These guidance documents explain the Right of Access provision under the HIPAA Privacy Rule, which requires that individuals or their personal representatives (which generally include the parents or guardians of minor children), be given access to the PHI in designated record sets.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR.

Follow HHS OCR on X (formerly Twitter) at @HHSOCR.