The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has reached a settlement with Concentra, Inc., an occupational health services provider based in Texas, over a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The case centered on a complaint that Concentra did not provide timely access to an individual's protected health information (PHI).
OCR's investigation found that Concentra failed to provide access to the requested PHI within the required 30-day timeframe set by HIPAA. The individual involved had made six requests starting in February 2018 but did not receive the records until March 2019, more than one year later.
This settlement is part of OCR’s ongoing Right of Access Enforcement Initiative, which began during the first term of the Trump Administration. It marks OCR’s 54th enforcement action related to ensuring individuals can access their medical records as outlined under HIPAA.
The HIPAA Privacy Rule gives individuals or their personal representatives the right to obtain their health information within 30 days, with a possible one-time extension of another 30 days if necessary. It also sets standards for protecting patient records and controlling how they are used and disclosed.
“Under the HIPAA Privacy Rule, individuals or their personal representatives have the right to timely access their medical records,” said OCR Director Paula M. Stannard. “Individuals should not have to make multiple requests and file a complaint with OCR to gain access to their health information.”
After its investigation, OCR issued a Notice of Proposed Determination on June 29, 2021, proposing a civil money penalty against Concentra. Before an administrative hearing could take place, both parties resolved the matter on May 5, 2025 through a settlement agreement that included payment by Concentra of $112,500.
Documents related to this case are available online:
- Notice of Proposed Determination: https://www.hhs.gov/sites/default/files/ocr-concentra-npd.pdf
- Settlement Agreement: https://www.hhs.gov/sites/default/files/ocr-concentra-settlement-agreement.pdf
OCR continues its commitment to enforcing HIPAA rules designed to protect privacy and security for patients’ health data. Information about these rules and guidance regarding patients' rights under HIPAA can be found on OCR’s website.
People who believe their privacy or civil rights related to health information have been violated may file complaints with OCR.
For updates from HHS OCR, follow @HHSOCR on X (formerly Twitter).
