Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Patient Right of Access delays cost Optum Medical Care $160K

Posted bySuze Shaffer
Patient right of access to medical records

Optum Medical Care (formerly known as Riverside Medical Group and Riverside Pediatric Group) is a large multi-specialty physician group serving patients throughout New Jersey and Southern Connecticut. Optum has agreed to pay $160,000 and implement a Corrective Action Plan (CAP) to resolve potential violations of the HIPAA Privacy Rule’s Right of Access provision.

This case marks OCR’s 46th Right of Access enforcement action, reinforcing that timely access to medical records is a fundamental patient right under HIPAA.

History

In the Fall of 2021, OCR received six complaints alleging that Optum Medical Care failed to provide patients or parents of minor patients with copies of their requested medical records. The investigation revealed delays ranging from 84 to 231 days, which are well beyond the HIPAA requirement to provide access within 30 calendar days of a valid request.

OCR began its investigation in February 2022 and determined that Optum’s failure to respond within the legally required timeframe constituted a potential violation of the HIPAA Right of Access Rule.

Settlement Terms

Under the Resolution Agreement, Optum Medical Care will:

  • Pay $160,000 to the U.S. Department of Health and Human Services.
  • Implement a Corrective Action Plan (CAP) monitored by OCR for one year.
  • Revise and update policies and procedures to ensure timely responses to access requests.
  • Train workforce members on the Right of Access requirements under HIPAA.
  • Report to OCR on all medical record access requests received and their fulfillment status.

OCR’s Message to Providers

OCR Director Melanie Fontes Rainer emphasized the importance of prioritizing patient access, stating:

“Health care providers must make responding to parents’ or patients’ requests for access to their medical records in a timely manner a priority. Access to medical records is a fundamental right under HIPAA… providers must proactively respond to record requests and ensure timely access.”

Rainer added that timely access empowers patients and families to make informed decisions and improve their health outcomes—reinforcing that patient rights are central to HIPAA’s mission.

What the HIPAA Right of Access Rule Requires

Under the HIPAA Privacy Rule, individuals (or their personal representatives) have the right to access, inspect, or receive copies of their health information maintained by a covered entity. Providers must:

  • Respond to access requests within 30 calendar days of receipt (may be reduced to 15 days).
  • Provide access in the format requested, if readily producible.
  • Charge only a reasonable, cost-based fee for copying, mailing, or preparing records.
  • Document and justify any extensions (up to an additional 30 days) with written notice to the requester.

Key Lessons for Healthcare Providers

This case underscores that even large, established medical groups are not exempt from enforcement. To stay compliant and avoid costly penalties, healthcare providers should:

  • Review and update Right of Access policies and procedures.
  • Maintain a tracking system for record requests and response deadlines.
  • Ensure all staff are trained to recognize and properly handle patient record requests.
  • Conduct periodic audits to verify timely responses.
  • Document all communications related to record requests.

HIPAA compliance is not just about data security; it’s about respecting patients’ rights. Failing to provide timely access to medical records not only violates the law but also erodes patient trust.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules including the Right of Access.

Don’t risk costly penalties. Ensure your team knows the rules and your policies support timely patient access.

Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Ransomware

Green Ridge Behavioral Health is Second Ransomware Settlement

October 30, 2023
Insider threats

Montefiore Medical Center fined $4.75M for Malicious Insider

February 6, 2024
©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC