Healthcare , HIPAA/HITECH , Industry Specific

Practice Fined $160K for 6 'Right of Access' Complaints

Settlement Is HHS OCR's 46th Enforcement Action Based on Health Record Complaints
Practice Fined $160K for 6 'Right of Access' Complaints
Image: HHS OCR

It's a new year, but federal regulators are beating an old HIPAA drum: The Department of Health and Human Services has hit a New Jersey medical practice with a $160,000 settlement in the agency's 46th enforcement action involving HIPAA complaint about right of access to health records.

See Also: Using the Netskope HIPAA Mapping Guide

Patients of Optum Medical Care of New Jersey - formerly known as Riverside Medical Group - had to wait up to seven months to access their medical records, according to the HHS' Office for Civil Rights resolution agreement with the entity. The practice also must implement a corrective action plan to avoid similar potential future violations of the HIPAA "right of access" provision.

The enforcement action against OMCNJ, which is a multi-specialty practice with about 150 locations in New Jersey and southern Connecticut, stems from six complaints HHS OCR received about the organization within six weeks in the fall of 2021.

The six complaints - filed in 2021 by individuals on Oct. 5, 18 and 22 and Nov. 1, 17 and 18 - each allege that OMCNJ refused to provide a copy of the individual's medical records or the complainant's minor children's medical records.

HHS OCR said its investigation into the complaints found that OMCNJ had failed to provide timely access to protected health information as required under HIPAA. In some of those instances, HHS OCR found that patients had received their requested records between 84 and 231 days after their respective requests were submitted to OMCNJ.

The HIPAA right of access provision requires that providers give access to requested medical records no later than 30 calendar days after receiving the individual's request.

"Healthcare providers must make responding to parents' or patients' request for access to their medical records in a timely manner a priority," said Melanie Fontes Rainer, director of HHS OCR, in a statement in December.

"Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law - providers must proactively respond to record requests and ensure timely access."

HHS OCR has issued 45 other enforcement actions in "right of access" disputes since launching its HIPAA compliance initiative in April 2019. "Right of access" complaints are the most common impetus for HHS OCR taking HIPAA enforcement actions.

As part of the corrective action plan, OMCNJ also must distribute its revised policies and procedures to its workforce and provide training on the HIPAA privacy rule's individual right of access to PHI.

The settlement between HHS OCR and the practice states that the agreement is not an admission of liability by OMCNJ, nor is it a concession by HHS that OMCNJ is not in violation of the HIPAA rules and not liable for civil money penalties.

In a statement, the medical group told Information Security Media Group: "Optum has long supported patients' timely access to their health information. We have addressed the cause of this issue and are sorry for any inconvenience it may have caused."

OMCNJ is a medical group within Optum, which is part of the UnitedHealth Group.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.