For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
On February 28, 2026, OCR announced a $4.3 million settlement with a multi-location medical practice for systematic right of access violations. The investigation revealed that the practice had denied or delayed patient record requests in 847 instances over 18 months, with some patients waiting over 300 days for their own medical records. This settlement represents the largest right of access penalty to date and signals a fundamental shift in OCR enforcement priorities that Texas medical practices must address immediately.
The right of access initiative is no longer a compliance footnote. In Q1 2026, OCR has closed 34 right of access investigations with civil monetary penalties, exceeding the total for all of 2025. Texas practices appear disproportionately in this enforcement wave, with 12 Texas cases representing 35% of national enforcement activity. The message is clear: patient access rights have become a primary regulatory priority with substantial financial exposure.
The HIPAA Privacy Rule grants patients the right to access their medical records within 30 days of request, with a possible 30-day extension for complex cases. This requirement seems straightforward, but enforcement reveals systematic compliance failures across medical practices:
The 30-Day Hard Limit: The 30-day response deadline is absolute, not aspirational. Extensions require documented justification and patient notification. A Dallas cardiology practice was penalized $180,000 for routinely taking 45-60 days to fulfill requests without proper extension documentation. OCR treated each delayed response as a separate violation.
Information Blocking Prohibition: The 21st Century Cures Act information blocking regulations, enforced by OCR since 2024, prohibit practices from creating artificial barriers to record access. This includes excessive fees, unreasonable identity verification requirements, and format restrictions that impede patient use of their records. A Houston family practice's policy of releasing records only on paper with $75 per-page copying fees was deemed information blocking resulting in a $340,000 settlement.
Complete Record Obligations: Patients are entitled to their complete designated record set, not selected portions practices choose to release. This includes billing records, clinical notes, test results, and documentation from all care settings. An Austin orthopedic practice was penalized for systematically excluding medication administration records from patient releases, claiming these were internal operational documents.
OCR's Q1 2026 enforcement data reveals specific patterns in right of access violations that Texas practices should examine:
Electronic Health Record System Limitations: Many violations stem from EHR systems that make comprehensive record extraction difficult or expensive. Practices using cloud EHR platforms often face per-request fees that create disincentives for timely patient access. A San Antonio practice's cloud EHR charged $25 per comprehensive patient record export, leading the practice to delay responses while seeking alternative solutions. OCR determined the EHR limitation did not excuse the access delay.
Vendor-Related Delays: Practices frequently blame record access delays on business associates including billing services, transcription companies, and imaging centers. OCR has consistently held practices responsible for business associate performance in fulfilling patient requests. A Fort Worth ENT practice was penalized for delays caused by a transcription vendor's 90-day turnaround on record requests, even though the vendor contract governed the relationship.
Administrative Staff Training Gaps: Many violations result from front desk and records staff who do not understand access requirements or who impose unauthorized verification procedures. A Tyler pediatric practice required patients to provide notarized identity verification for record requests, a requirement OCR determined exceeded reasonable standards and constituted information blocking.
The February 2026 settlement provides a detailed roadmap of compliance failures that OCR considers particularly serious. The practice, a seven-location group in the Southeastern United States, exhibited systemic access denial patterns:
Denial of Third-Party Access: The practice refused to release records to patient-designated representatives including family members, legal guardians, and authorized advocates. OCR found 312 instances where valid representative requests were denied despite proper authorization documentation. The practice's policy required patients to personally appear for record release regardless of health status or geographic constraints.
Excessive Fee Structures: The practice charged patients up to $150 for electronic record delivery, well beyond the reasonable cost-based limits. For paper records, fees reached $1.25 per page with no cap, resulting in bills exceeding $800 for comprehensive record sets. OCR determined these fees were not cost-based and effectively denied access to patients who could not pay.
Systemic Delay Patterns: Analysis of 1,200 patient requests revealed a median response time of 67 days, with 23% of requests taking over 100 days. The practice had no tracking system for request aging and no escalation procedures for delayed responses. Multiple patients filed complaints with OCR after months of unanswered requests, triggering the investigation that revealed systematic non-compliance.
Fulfilling right of access obligations requires specific technical capabilities that many practices lack:
Patient Portal Completeness: While patient portals satisfy access requirements for information available through the portal, they often exclude important record components. Billing records, external consultant reports, and imaging interpretations may remain inaccessible. OCR requires that portal limitations be clearly disclosed and alternative access mechanisms provided for excluded records.
Format Flexibility: Patients may request records in paper, electronic, or specific digital formats. Practices must accommodate reasonable format requests or provide records in a readable alternative. A Georgetown practice was penalized for refusing to provide records in PDF format despite patient disability accommodations requiring electronic format.
Secure Transmission Methods: Electronic record delivery must maintain HIPAA security standards while remaining accessible to patients. Many practices struggle with this balance, either using insecure email delivery or imposing technical requirements patients cannot satisfy. OCR permits reasonable security measures including encrypted email, patient portal download, and secure file transfer, but excessive security requirements may constitute information blocking.
Meeting right of access obligations requires systematic process design and regular compliance verification:
Request Tracking Systems: Implement systems that track patient requests from receipt through fulfillment with automated aging alerts. Practices should have visibility into pending requests by age, responsible staff member, and fulfillment status. Weekly review of pending requests over 21 days old prevents deadline violations.
Staff Training and Authority: Front desk staff must understand access requirements and have authority to release records without excessive escalation. Standardized procedures should define what staff can release immediately, what requires physician review, and maximum review timeframes. Documentation requirements should be reasonable and clearly communicated.
Fee Structure Review: Review current fee schedules against OCR guidance on reasonable cost-based limits. Electronic record delivery fees should not exceed actual system costs. Paper copying fees should reflect reasonable per-page costs without arbitrary minimums. Fee waivers should be available for patients with demonstrated financial hardship.
Business Associate Accountability: Contractual agreements with vendors handling patient records must include specific access obligation language and performance metrics. Practices should monitor vendor compliance through regular reporting and have contingency procedures for vendor-caused delays.
We assess your current patient access procedures and implement systems that satisfy OCR requirements while maintaining operational efficiency. Our evaluations include process design, staff training, and documentation protocols that prevent the violations now resulting in substantial penalties.
Call 469-235-4144 or schedule online. We help Texas medical practices achieve and demonstrate compliance.