The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Optum Medical Care of New Jersey (formerly known as Riverside Medical Group and Riverside Pediatric Group). Optum Medical Care is a multi-specialty physician group serving patients throughout New Jersey and Southern Connecticut. The settlement resolves multiple complaints filed with OCR concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s Right of Access provision. The HIPAA Right of Access provision requires that individuals or their personal representatives have timely access to their health information for a reasonable cost. OCR’s investigation revealed that Optum failed to provide access within 30 calendar days. Optum has agreed to implement a corrective action plan to ensure timely access for patients to their records and pay $160,000 to resolve this matter. The agreement marks OCR’s 46th Right of Access enforcement action.
“Health care providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law—providers must proactively respond to record requests and ensure timely access. Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”
In Fall 2021, OCR received six complaints alleging that Optum Medical Care failed to provide copies of medical records requested by an adult patient or by the parents of minor patients. In February 2022, OCR initiated investigations of these Right of Access complaints. The complaints disclosed that patients received their requested records between 84 and 231 days after their respective requests were submitted. Those timeframes are well outside of the HIPAA Right of Access requirement that providers must give access to medical records requested no later than 30 calendar days from receiving the individual’s request. OCR’s investigation determined that Optum Medical Care’s failure to provide timely access to the requested medical records was a potential violation of HIPAA.
In addition to paying $160,000 to OCR, Optum Medical Care will implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests. Under the plan, OCR will monitor Optum Medical Care for one year.
A copy of the resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/optum-medical-care.html
OCR’s guidance on the HIPAA Right of Access is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
OCR’s guidance on the HIPAA Privacy Rule and personal representatives is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html.
OCR is committed to enforcing the privacy and security of people’s health information. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: