Optum Medical Care (formerly known as Riverside Medical Group and Riverside Pediatric Group) is a large multi-specialty physician group serving patients throughout New Jersey and Southern Connecticut. Optum has agreed to pay $160,000 and implement a Corrective Action Plan (CAP) to resolve potential violations of the HIPAA Privacy Rule’s Right of Access provision.
This case marks OCR’s 46th Right of Access enforcement action, reinforcing that timely access to medical records is a fundamental patient right under HIPAA.
History
In the Fall of 2021, OCR received six complaints alleging that Optum Medical Care failed to provide patients or parents of minor patients with copies of their requested medical records. The investigation revealed delays ranging from 84 to 231 days, which are well beyond the HIPAA requirement to provide access within 30 calendar days of a valid request.
OCR began its investigation in February 2022 and determined that Optum’s failure to respond within the legally required timeframe constituted a potential violation of the HIPAA Right of Access Rule.
Settlement Terms
Under the Resolution Agreement, Optum Medical Care will:
- Pay $160,000 to the U.S. Department of Health and Human Services.
- Implement a Corrective Action Plan (CAP) monitored by OCR for one year.
- Revise and update policies and procedures to ensure timely responses to access requests.
- Train workforce members on the Right of Access requirements under HIPAA.
- Report to OCR on all medical record access requests received and their fulfillment status.
OCR’s Message to Providers
OCR Director Melanie Fontes Rainer emphasized the importance of prioritizing patient access, stating:
“Health care providers must make responding to parents’ or patients’ requests for access to their medical records in a timely manner a priority. Access to medical records is a fundamental right under HIPAA… providers must proactively respond to record requests and ensure timely access.”
Rainer added that timely access empowers patients and families to make informed decisions and improve their health outcomes—reinforcing that patient rights are central to HIPAA’s mission.
What the HIPAA Right of Access Rule Requires
Under the HIPAA Privacy Rule, individuals (or their personal representatives) have the right to access, inspect, or receive copies of their health information maintained by a covered entity. Providers must:
- Respond to access requests within 30 calendar days of receipt (may be reduced to 15 days).
- Provide access in the format requested, if readily producible.
- Charge only a reasonable, cost-based fee for copying, mailing, or preparing records.
- Document and justify any extensions (up to an additional 30 days) with written notice to the requester.
Key Lessons for Healthcare Providers
This case underscores that even large, established medical groups are not exempt from enforcement. To stay compliant and avoid costly penalties, healthcare providers should:
- Review and update Right of Access policies and procedures.
- Maintain a tracking system for record requests and response deadlines.
- Ensure all staff are trained to recognize and properly handle patient record requests.
- Conduct periodic audits to verify timely responses.
- Document all communications related to record requests.
HIPAA compliance is not just about data security; it’s about respecting patients’ rights. Failing to provide timely access to medical records not only violates the law but also erodes patient trust.
At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules including the Right of Access.
Don’t risk costly penalties. Ensure your team knows the rules and your policies support timely patient access.
Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.