Concentra Resolves its HIPAA Right of Access Violation for $112,500

December 21, 2025HIPAA News0

Concentra Inc. made a decision to settle an alleged HIPAA Right of Access violation with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by paying $112,500 as a financial penalty.

HIPAA Privacy Regulation respects the rights of individuals over their protected health information (PHI), including the right to get a copy of their data and only pay a reasonable, cost-based fee. When a HIPAA-covered entity receives a request for a copy of an individual’s medical files, the requested information must be given within 30 days. The records must be given in the format requested, so long as the covered entity is able to easily generate them in the required format. OCR announced an enforcement initiative in late 2019 targeting noncompliance with the HIPAA Privacy Guideline after getting several complaints from people who were not furnished with their requested data promptly. Including the latest financial penalty, OCR has issued 54 financial penalties as per this enforcement initiative.

Concentra, based in Addison, Texas, a HIPAA-covered entity, is an expert in occupational health. Concentra manages 547 occupational health centers and 151 on-site health clinics at employer worksites in about 40 U.S. states. OCR began investigating because of a complaint received from a person who was not provided with a copy of his PHI, despite filing six separate requests. Concentra’s Peoria, Arizona, Center received the initial request on February 15, 2018.

The patient asked for an electronic copy of his health and billing data in February 2018. A Concentra staff member submitted the access request to Concentra’s Central Billing Office (CBO). The patient requested from the same Peoria office in 2018, and the request was likewise sent to the CBO. However, the information was not made available. OCR stated on October 8, 2018, that Concentra’s business associate asked for $82.57 to generate a copy of the requested records. The invoice was questioned, and on March 19, 2019, the transaction was altered to a flat fee of $6.50, and the documents were mailed in paper format.

OCR informed Concentra that the investigation discovered a probable violation of the HIPAA Right of Access for failing to provide the documents within 30 days. Concentra replied and argued the first results of the investigation and filed evidence in aid of its position. OCR reacted and recommended a $250,000 financial penalty to settle the violation, having declined Concentra’s proof. Concentra requested the advice of an Administrative Law Judge to dispute the suggested civil monetary penalty. Concentra and OCR then took part in the settlement talks and, on May 5, 2025, before an administrative hearing, both parties consented to settle the case by paying a $112,500 financial penalty.

Based on the HIPAA Privacy Rule, persons or their personal representatives can get prompt access their health records. Individuals should never have to make multiple requests and file a complaint with OCR to obtain access to their health data. OCR has been actively enforcing compliance with the HIPAA Rules in 2025. The Concentra HIPAA fine is OCR’s 21st penalty enforced in 2025 to resolve supposed HIPAA rules violations.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.