Right of Access

End of Year HIPAA Checklist
Abyde News, Best Practices, HIPAA

End of Year HIPAA Checklist: 5 Things to Wrap Up Before 2026

December 30, 2025 No comments yet

December 30, 2025   You may be done wrapping gifts, but year-end is the perfect time to wrap up compliance loose ends and start the new year with everything tied up in a neat bow.  As your office returns to normal after a post-holiday haze, use the (hopefully) quiet time to get your compliance program in order. Here’s your practice’s end-of-year HIPAA checklist to help you confirm the essentials are handled and documented before 2026 begins.   Confirm HIPAA Training is Complete (and Documented) HIPAA training is required yearly and for all new staff members upon joining the team. As the year comes to a close, it’s strongly recommended to review all training documentation. This should include confirming that any new hires have received HIPAA onboarding training, verifying that all current staff completed training during the calendar year, and ensuring that your practice has the necessary documentation, such as training certificates, to prove it.  Maintaining records of your training is crucial. Not only does it keep your documentation organized, but the Office for Civil Rights (OCR) will require this proof if your practice is ever investigated.   Make sure your Right of Access Process is Crystal Clear to all Staff While patient record requests might seem simple, they’re one of the most common HIPAA violations. In fact, the latest HIPAA fine, exceeding $100,000, was issued due to one patient’s complaint after their records weren’t properly released.  Ensure your staff is aware of the process for releasing patient records and the strict timelines your practice must follow. On a federal level, records must be released within 30 days; however, depending on the state, they may be released even sooner.    Review your Business Associate Agreements (BAAs) This is one of the most common gaps across practices: vendors have access to PHI, but the paperwork isn’t complete or updated. The vendors, or Business Associates (BAs), with which your practice works must also follow HIPAA requirements. To protect your practice, ensure your practice has a Business Associate Agreement (BAA) in place with any vendors you work with. A BAA establishes legal liability if your BA experiences a breach. It also outlines the steps your vendor must take to maintain the security of Protected Health Information (PHI) and how to respond to a data breach.    Confirm your Security Risk Analysis (SRA) is Current The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is a comprehensive review of all physical, technical, and administrative safeguards your practice has in place. For example, the SRA would review how your practice checks patients, as well as the operating system used on the computers in your practice.  Take this downtime to review your SRA. The OCR expects this to be an active, living document, not something that sits in a folder gathering dust. Ensure you have identified any new risks, such as new software implementations or changes in office layout, and have updated your SRA accordingly.    Update Your Policies and Procedures Operating on “outdated instructions” is a major liability. HIPAA requires that your written policies and procedures accurately reflect your practice’s current daily operations. If you’ve implemented new technology in your practice or changed any internal workflows, now is the time to ensure that the policies and procedures show that.  While policies and procedures might feel like just paperwork, alongside thorough training, they are the primary tools for ensuring your staff knows exactly how to handle and protect patient data.   Streamline Compliance in 2026 If this End of Year HIPAA checklist feels overwhelming to manage while running a busy practice, you’re not alone. The good news? You don’t have to do it manually. Smart compliance software is designed to eliminate the guesswork from the process. From dynamically generating your policies and procedures to automating employee training and guiding you through your SRA, turning hours of “paperwork” into a few simple clicks. Meet with a compliance expert today to see how you can streamline compliance in 2026.

Abyde News, Fines, HIPAA

One Patient Request, Years of Fallout: The Concentra Right of Access Case

December 22, 2025 No comments yet

December 22, 2025 Well, the Office for Civil Rights (OCR) is back, folks!  After a historic government shutdown, the OCR has announced its first fine.  The recipient of the latest fine is Concentra, Inc., a Texas-based enterprise healthcare provider. While this health organization might have numerous locations, the root of this federal fine and years of legal battles stems from one patient complaint to the OCR.  With the 21st fine of the year, we’re taking it back to the basics: Patient Right of Access.  What Happened?  In February 2018, a patient requested a copy of their medical and billing records from Concentra’s Peoria, Arizona, location. While a Concentra employee forwarded the request to the billing office, the patient did not receive their medical records in a timely manner. The patient sent several requests throughout the year.  In October 2018, Concentra’s Business Associate issued an invoice to the patient for $82.57 for the requested medical records. This amount was disputed.  After months of back-and-forth with Concentra, in December 2018, the patient filed a complaint with the OCR regarding how the healthcare provider handled their record request. Finally, in March 2019, over a year after the initial request, Concentra’s Business Associate provided the health records to the patient for an adjusted rate of $6.50.  Providing the records was just the beginning for Concentra. In the summer of 2020, the OCR notified the healthcare provider that this case indicated noncompliance with the Privacy Rule and provided Concentra with the opportunity to submit mitigating evidence.  Then, in 2021, the OCR proposed to levy a $250,000 penalty. After several more years of legal battles, the OCR settled this case in 2025 with a $112,500 settlement.  Patient Right of Access 101 This lengthy chain of events highlights the importance of promptly and thoroughly addressing patient requests.  Detailed in the Privacy Rule, patients have the right to access their health records within 30 days from the initial request, known as the Right of Access. This timely access empowers patients to make informed decisions about their healthcare. This 30-day timeline applies on the federal level. Depending on the state, your practice may be required to comply with more stringent timelines, as seen in California.  The 30-day timeline is firm, and a practice can only be granted an extension once, for an additional 30 days. In addition to adhering to a 30-day timeline, the fees for copies of records must be reasonable and feasible.  The acceptable fee for providing copies of documents is limited to the cost of labor for copying, supplies, postage, and any provided summary. Alternatively, your practice can charge a flat fee of not more than $6.50 instead of calculating these specific costs.   Keeping Your Practice Compliant (And Your Patients Happy) While following the Right of Access might seem straightforward, it’s one of the most common HIPAA violations practices make. There have been 50+ HIPAA Right of Access enforcement actions levied by the OCR.  With the right compliance program, you can ensure that your staff is aware of all requirements when handling patient requests. Clear policies and engaging training help you respond correctly, on time, and with confidence. Ready to ensure your practice is HIPAA compliant? Schedule a consultation with one of our compliance experts today.

HIPAA Compliant Patient Requests
Abyde News, Best Practices, HIPAA

How to Stay HIPAA Compliant When Patients Request Their Medical Records

October 27, 2025 No comments yet

October 27, 2025   Imagine a scenario that’s played out at your practice a million times: a patient calls and asks for a copy of their medical records. Simple, right? Believe it or not, what seems like a routine request can quickly become a compliance risk if your employees misunderstand timelines, allowable fees, or who’s allowed to access certain information. With over 50 penalties and millions of dollars in fees issued by the Office for Civil Rights due to Right of Access violations, your practice has a responsibility to understand its role when handling patient requests. By acknowledging your practice’s duties and properly training your staff, you can empower your team to deliver documents in a timely manner that still protects sensitive data.   Right of Access 101 Right of Access, established in the HIPAA Privacy Rule, gives patients the right to receive their records within 30 days of the initial request. Depending on the state, the number of days your practice has to fulfill requests may even be less. For example, California legislation requires that patient requests be upheld within 15 days.  This timeline is strict and can only be extended once for an additional 30 days. So, once you receive a request, it’s go time.  Before the staff gathers anything, the first question is, how should these records be sent out? Even if the request comes through a secure portal, your staff must encrypt any Protected Health Information (PHI) sent electronically. Certified mail is recommended for safe and trackable delivery if the patient requests a physical copy. Now, what can you charge to deliver these records? Patients have a right to their health records, and any associated costs must be minimal to remain HIPAA compliant. According to the OCR, a flat fee of $6.50 for all requests for copies of PHI maintained electronically. Additionally, ensure that thorough documentation, like a current HIPAA consent form, is in place if the requester is not the patient themselves.    Keeping Your Practice Compliant So, think back to the scenario we mentioned earlier. Only now, you don’t have to stress! Your team is trained and aware of their responsibility to fulfill patients’ requests. Your patients get what they want, and even better, your practice avoids thousands of dollars in fines and reputational damage. Quickly and compliantly addressing patient requests promotes patient satisfaction and can help your practice avoid thousands of dollars in fines and reputational damage. The proper software solution centralizes all documentation, policies, forms, and training related to Right of Access. This cloud-based hub provides easy access for everyone in your practice, giving staff the tools they need to be successful.  To learn more about Right of Access in your practice, meet with a compliance expert today.

HIPAA Right of Access
Abyde News, Best Practices, HIPAA

What is Right of Access?: Understanding the HIPAA Privacy Rule

March 20, 2025 No comments yet

March 20, 2025   HIPAA is often misunderstood as only addressing the security of medical information. However, it encompasses more than that. The Health Insurance Portability & Accountability Act also defines how medical information must be shared with patients through the Privacy Rule. This highlights another key responsibility healthcare providers must be accountable for.  Alongside the Security Rule and the Breach Notification Rule, the Privacy Rule provides patients additional rights regarding how their medical records are handled.  The Privacy Rule created the Right of Access, requiring practices to provide patients with their medical records in a timely manner.  With the latest fine for HIPAA being a Right of Access violation, it’s vital for practices to be aware of this requirement and how it pertains to the care they provide.    What is Right of Access? Right of Access gives practices 30 days to fulfill a patient’s request for their records. In some situations, these thirty days can be extended to an additional 30 days, but that is the longest period of time allowed to provide a patient with their records.  This is a federal requirement, but the timeline could be even shorter depending on where the practice is located. For instance, if the practice is in California, staff must provide patients with medical records within 15 days.  Your practice can charge for medical records, but it needs to be reasonable. The Office for Civil Rights (OCR) defines this as the average cost of supplies, limited labor, and postage when providing medical records to a patient.  However, instead of calculating this cost, the OCR also suggested a flat fee not to exceed $6.50 when handling electronic records. Once again, other guidance can be levied on the state level, like California’s cap on the cost of medical records at 25¢ a page plus a reasonable clerical fee.  From the moment a practice receives a request, it must be addressed quickly. Staying on top of these requests is crucial for staying compliant and maintaining patient satisfaction.    How to Stay Compliant While this might seem simple, many practices have been fined in the past for violating this right of patients. In 2024 alone, Right of Access fines accounted for nearly $500,000. The OCR introduced a Right of Access Initiative to ensure that these patient requests are taken seriously. Many of these investigations and fines stem from patient complaints, showing the importance of complying with this HIPAA component.  Utilizing smart software solutions can assist your team in ensuring that all staff members are aware of their responsibilities when handling PHI, including the responsibility to address patient requests quickly. This empowers your team to take accountability and keep patients happy.  To learn more about how to comply with HIPAA Right of Access legislation, meet with our team of compliance experts today.   

The Price of Delay: A Costly HIPAA Lesson
Fines, HIPAA

The Price of Delay: A Costly HIPAA Lesson

December 2, 2024 No comments yet

December 2, 2024 Over a million dollars in HIPAA fines have been levied in the past few months, and like this winter’s snow, the fines continue to pile up, with a $100,000 fine recently announced. Last week, Rio Hondo Community Mental Health Center, an outpatient program managed by the Los Angeles Department of Health, was fined for a Right of Access violation. This marks the 51st enforcement of the Right of Access rule, highlighting the importance of handling patient records in a timely manner. What Happened? A patient requested a copy of their records on March 18, 2020. As we all know, March 2020 was marked by the beginning of the unprecedented COVID-19 virus, which led to the mental health center’s closure after the Governor of California put into action a “stay-at-home” order. However, the center reopened at the beginning of May 2020, allowing some staff to return to the facility. While the patient was told her records would be ready at this time, she was misinformed and began the summer with a flurry of calls and other forms of contact to request her medical records. After her requests were unfulfilled several times, the patient filed a complaint with the Office for Civil Rights (OCR) at the end of August 2020. The OCR then began investigating the Rio Hondo at the beginning of October. The medical records were finally sent on October 20, 2020, 216 days after the first request. The Right of Access rule requires Covered Entities to provide patients with their medical records within 30 days of the initial request. While the medical center was under a “stay-at-home” order during those 30 days, this was still significantly longer than the extension period of an additional 30 days and could have been handled when it was first deemed safe for staff to return to the medical center. This fine comes after a series of Right of Access fines, including another significant fine of $70,000 imposed at the end of October. The numerous fines issued this past year regarding the Right of Access initiative demonstrate the government’s commitment to this important aspect of patients’ rights. Protect Your Practice from Costly Mistakes Even during the peak of the global health crisis, HIPAA regulations stayed in effect. Implementing software solutions can help safeguard your practice. To ensure your staff remains compliant, it is highly recommended to use automated software that keeps you and your team in check, regardless of the circumstances. Schedule a consultation today to learn more about automated compliance for your practice.

Patient Record Access HIPAA Fine
Fines, HIPAA

Expensive Oversight: The Importance of Timely Patient Record Access

October 24, 2024 No comments yet

October 24, 2024 There has been a flurry of HIPAA fines in the past few weeks, with over half a million dollars levied in the last month.  Just one example is Gums Dental Care, LLC, a small dental practice in Maryland that was fined for a Right of Access violation. Right of Access violations, which involve failing to provide medical records in a timely manner, are a common HIPAA mistake. Another violation for this was issued in August.   What Happened?  A patient requested her medical records from Gums Dental on April 8, 2019. After not receiving them, she issued a complaint to the OCR in May 2019. The OCR contacted Gums Dental Care for technical assistance and believed the case was over.  This was just the beginning. This case spanned years, with a second complaint filed in August 2019 and the OCR sending several data requests through letters and calls to Gums Dental.  On October 1, 2020, the OCR sent Gums Dental a proposed resolution agreement and corrective action plan. At the end of the month, Dr. Gumbs wanted to present her case in front of a judge, believing the patient would commit Medicaid fraud with her records. She also said that the complainant didn’t pay a $25 administrative fee to release the medical records through mail. First, patients should always have access to their medical records, regardless of their reasons. Second, the fee would be waived if the patient requested it digitally, not through mail.   In December 2020, the OCR issued a Letter of Opportunity to Gums Dental. At the beginning of the next year, Dr. Gumbs once again justified her refusal to provide the records since she believed her patient would commit a crime with them. She also believed her website wasn’t secure enough to send them digitally. However, Gums Dental didn’t attempt to send the records at all.  By the time the Notice of Proposed Determination was sent in March 2022, roughly three years after the first medical record request, Gums Dental faced a Civil Monetary Penalty fine as high as $7,676,692. However, the OCR ultimately levied a $70,000 fine, recognizing the smaller size of the dental practice.    How to Protect Your Practice Common HIPAA fines often involve Right of Access violations. At the federal level, practices are required to provide patients with their medical records within 30 days, and some states have an even shorter timeline. Navigating these unique regulations can be challenging, so having an intelligent solution is crucial. Smart software can streamline compliance for your practice by generating policies and procedures tailored to your needs. These solutions also include access to a team of compliance experts who can help answer your questions and ensure that you are interacting with patients in a HIPAA-compliant manner.  To learn more about software solutions, with a compliance expert here.   

American Medical Response HIPAA Fine
Fines, HIPAA

Your Medical Records, Your Right: AMR Learns Costly Lesson

August 6, 2024 Comments Off on Your Medical Records, Your Right: AMR Learns Costly Lesson

August 6, 2024 Did you know the Office for Civil Rights (OCR) has launched a new initiative to ensure proper compliance with patients’ Rights of Access? American Medical Response (AMR), a private ambulance company, has now felt the impact of these efforts, becoming the 49th entity to face a HIPAA Right of Access Enforcement Action. AMR was recently fined $115,200 for failing to provide a patient with their medical records in a timely fashion.  AMR’s mistake was brought to the attention of the OCR through a patient complaint. On October 31, 2018, the patient requested a copy of her medical records. Instead of receiving them within the allotted 30 days, this sparked the beginning of a long battle for her records.  In January 2019, the patient sent follow-up requests to both AMR and its Business Associate, Centrex. AMR responded to the request in March 2019, sending the patient an invoice and requiring payment before the records were provided.  During the ongoing battle for her medical records, she warned AMR she would report the organization to the OCR if her records were not provided. The patient filed a complaint in July 2019. Finally, the records were provided on November 5, 2019, over a year after the initial request.  What is Right of Access?  HIPAA’s Right of Access rule, which falls under the HIPAA Privacy Rule, allows patients to receive access to their medical records within 30 days with minimal or no charges. These charges can only include the costs of copying and mailing medical records. In some states, this 30-day requirement is shorter, like in California, which requires access to copies within 15 days.  This right empowers patients to make informed healthcare decisions, such as sharing their medical history with new providers. What should my practice do?  First, proper training is essential to ensure that staff understand the importance of providing patients with their records on time. Additionally, staff must understand and follow the procedures for securely sharing medical information with the patient. Ensuring staff is properly trained and aware of the resources available to them is vital to staying compliant.  You could be adding more stress to your plate if you still use a dusty binder to track and manage HIPAA compliance. Keeping track of training, documentation, and the constantly evolving regulations is a complex task that demands a modern approach. Intelligent software solutions can offer staff a centralized compliance hub with everything they need to know when navigating patient requests. To learn more about how smart compliance software solutions can protect your practice, schedule a consultation with an expert today. 

New Jersey Nursing Facility HIPAA Fine
Fines, HIPAA

HHS Cracks Down on New Jersey Nursing Facility for HIPAA Violation

April 1, 2024 Comments Off on HHS Cracks Down on New Jersey Nursing Facility for HIPAA Violation

April 1, 2024 The U.S. Department of Health and Human Services (HHS) has imposed a civil monetary penalty of $100,000 on Hackensack Meridian Health West Caldwell Care Center, a skilled nursing facility in New Jersey. The facility violated the HIPAA Right of Access law. The penalty stems from the facility’s failure to provide a patient’s medical records to their authorized representative in a timely manner, or within 30 days.  According to the HHS Office for Civil Rights (OCR), which investigated the case, Hackensack Meridian Health withheld the records even after receiving documentation demonstrating the individual’s legal right to access them. The requested records were ultimately sent to the authorized representative only after intervention by the OCR. HIPAA guarantees patients the right to access and obtain copies of their medical records. The OCR enforces this regulation and takes action against healthcare facilities that fail to comply. “A patient’s timely access to health records is paramount for medical care,” said OCR Director Melanie Fontes Rainer in a press release. “The OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.” This incident highlights the importance of HIPAA and the rights it grants patients regarding their medical information. It also serves as a reminder for healthcare providers to ensure they have clear procedures in place for handling requests for medical records. This is also the second Right of Access violation ruled on in the last week. Read more about other recent fines here.

Phoenix Healthcare HIPAA Fine
Fines, HIPAA

Phoenix Healthcare Fine: Don’t be a Fool in Compliance

April 1, 2024 Comments Off on Phoenix Healthcare Fine: Don’t be a Fool in Compliance

April 1, 2024 Happy April Fools Day! We hope you’re enjoying the holiday with some lighthearted fun and pranks!  Now, HIPAA regulations are no laughing matter. HIPAA regulations are in place to protect patients’ information, making sure we all have the rights we deserve to keep our information safe.  Today, we’re talking about the latest HIPAA fine, given to a multi-location nursing care organization in Oklahoma, Phoenix Healthcare.  Phoenix Healthcare was fined 35 grand for violating the HIPAA Right of Access Rule, being the butt of the joke of this major fine.  Get buckled up, pranksters! We’re all in for some April Fools’ fun but don’t even think about messing with HIPAA. Patient privacy is no joke!  So, What Happened?  Well, what happened was unfortunately not a prank.  Phoenix Healthcare withheld someone’s health information for almost a year after an initial request was made.  The OCR was made aware of this not-so-funny situation by a caretaker trying to get the health information of her mother, a patient at the nursing home.  Like a joke that went on too long, Phoenix Healthcare eventually did send the information to the daughter. However, the HIPAA Right of Access Rule requires information to be shared within thirty days of a request. Some states, it’s even sooner, like California!  The daughter reported the HIPAA violation to the OCR, and at first, Phoenix Healthcare was ordered to pay a fine of 75,000! With an appeal, and an agreement that Phoenix Healthcare updates its HIPAA policies and procedures, and provides training, the fine was lowered to 35,000.  Whew! While Phoenix Healthcare is still on thin ice, they saved themselves a lot of money.  What can I learn from this?  Well, great question! First, HIPAA compliance is no joke. But don’t worry, no April Fool’s pranks here!  To stay ahead of the curve,  we can make sure your practice is up-to-date on all the HIPAA rules. That way, you can focus on the fun and leave the compliance worries to us. With Abyde, we make sure you Never Stress Over Compliance Again! The Abyde software offers a variety of features to simplify the compliance process. Yes, the words ‘simple’ and ‘compliance’ can be in the same sentence.  While this is a chore for Phoenix Healthcare, the Abyde software even includes dynamically generated policies and procedures, having HIPAA-compliant policies in seconds. The training is also covered, with our enjoyable training that somehow turns learning about HIPAA fun!  We promise you, this isn’t an April Fools trick, we actually make compliance easy. To learn more about how Abyde can help your practice, schedule a consultation, here. 

Optum Medical Care of New Jersey HIPAA Fine
Fines, HIPAA

HIPAA Fine Announced: OCR Cracks Down After Multiple HIPAA Complaints Over Patient Right of Access

January 5, 2024 Comments Off on HIPAA Fine Announced: OCR Cracks Down After Multiple HIPAA Complaints Over Patient Right of Access

January 5, 2024 Patients at Optum Medical Care in New Jersey and Connecticut had a frustrating experience: waiting months for their medical records. They requested their records, as guaranteed by the Health Insurance Portability and Accountability Act (HIPAA), but Optum dragged its feet for months, far beyond the 30-day legal limit. Fed up with the delays, several patients filed complaints with the Office for Civil Rights (OCR). The OCR investigated and found that Optum had indeed violated the law. As a consequence, Optum has been slapped with a $160,000 fine and ordered to implement a corrective action plan to speed up the record-sharing process. This case is a reminder of two important things: This case is also the 46th enforcement action taken by the OCR under its Right of Access Initiative, highlighting the importance of timely access to medical records for patients across the country. Abyde: Your Partner in HIPAA Compliance At Abyde, we recognize the stress practices undergo trying to stay in compliance. We remain committed to supporting practices in navigating the complexities of HIPAA compliance, with a specific emphasis on the importance of providing patients medical records within the allotted time frame. Contact Abyde today at info@abyde.com and set up a demo to see why Abyde is considered the pre-eminent HIPAA compliance solution.  

Is your dental practice OSHA-ready? Cut through the complexities with our latest eBook.

DOWNLOAD NOW
X