Optum Medical Care of New Jersey Settles OCR HIPAA Right of Access Investigation
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle alleged violations of the HIPAA Privacy Rule with Optum Medical Care of New Jersey for $160,000.
Optum Medical Care of New Jersey, formerly known as Riverside Medical Group and Riverside Pediatric Group, is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received six complaints from individuals who had not been provided with their records after sending a request to Optum Medical Care. The requests were to obtain a copy of an individual’s own records or requests from parents for copies of their minor children’s records.
The HIPAA Privacy Rule gives individuals the right to obtain a copy of their medical records and those of their minor children. When a request is received by a HIPAA covered entity, the records must be provided within 30 calendar days, although under certain limited circumstances, a 30-day extension is possible. OCR launched an investigation in February 2022 in response to the complaints and determined that Optum Medical Care had exceeded the allowed timeframe for providing those records. The complainants had to wait between 84 days and 231 days to receive their requested records.
Optum Medical Care chose to settle the alleged violations and agreed to pay a $160,000 financial penalty and adopt a corrective action plan (CAP) that includes reviewing and revising its policies and procedures for individual access to PHI, providing training to the workforce on those new procedures, and ensuring that all patients are provided with their requested records within 30 days. In the event of a right of access request being denied, OCR must be informed and provided with documentation to support that denial. OCR will monitor Optum Medical Care for compliance with the CAP for a period of one year.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Health care providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law—providers must proactively respond to record requests and ensure timely access. Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”
OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, and this is the 46th investigation to result in a financial penalty. “Healthcare providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law—providers must proactively respond to record requests and ensure timely access. Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”
This is the 13th HIPAA enforcement action of 2023 to result in a financial penalty. In 2023, OCR has imposed $4,176,500 in financial penalties. The average penalty was $321,269 and the median penalty was $100,000.
OCR has also stated in its Healthcare Sector Cybersecurity Strategy that it is working with Congress to increase the penalties for HIPAA violations.