On August 24, 2025, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published its 45th HIPAA Right of Access Initiative settlement. Its first with a health plan, UnitedHealthcare Insurance Company agreed to pay $80,000 and enter into a one-year corrective action plan (CAP) to resolve allegations of HIPAA noncompliance.
On March 25, 2021, OCR received a third complaint from a UnitedHealthcare member, informing OCR that the health plan did not respond to their request for a copy of their records, which were first requested in January 2021. Once OCR initiated an investigation of UnitedHealthcare, the health plan provided the patient with a copy of the requested records, but this occurred six months after the initial request.
The right of access is a fundamental patient right under the HIPAA Privacy Rule. Healthcare providers, health plans, and any business associates assisting with the provision of access to records must ensure that they are following the requirements of the HIPAA Privacy Rule with respect to the provision of access. A HIPAA covered entity must provide patient access within 30 days of a request unless it has a reason to deny the request, as permissible under the Privacy Rule, or it has a valid reason to extend its response time by no more than 30 days. Previous OCR guidance indicates that this 30-day requirement is an “outer limit,” encouraging covered entities to provide access as soon as possible.
This settlement is notable in that all of the prior Right of Access Initiative settlements were entered into with healthcare providers. In the press release describing the settlement, OCR Director Melanie Fontes Rainer emphasized that health plans are not exempt from the access requirement. Health plans and other HIPAA-regulated entities should take care to ensure that their workforce, particularly the administrative staff and medical records personnel who receive records requests, have a comprehensive understanding of the HIPAA requirement to provide a patient or a member with access to their information, as well as the timing and fee requirements related to the provision of access.