On October 21, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an enforcement action against Maryland-based Gums Dental Care, LLC (Gums Dental Care) for alleged violations of the HIPAA Privacy Rule’s right of access requirements. Gums Dental Care failed to provide a patient with timely access to PHI. Shortly thereafter, on November 19, 2024, OCR announced an enforcement action against Rio Hondo Community Mental Health Center (Rio Hondo), an outpatient program of the County of Los Angeles Department of Mental Health, also alleging that Rio Hondo failed to provide an individual with timely access to medical records.
Background
The HIPAA Privacy Rule grants certain rights to individuals, including the right to access and obtain a copy of their information in a timely manner. Specifically, healthcare facilities and other covered entities are required to provide access to PHI maintained in a designated record set within 30 days of receiving a request from an individual or their personal representative. OCR clearly articulates in prior guidance that this 30-day timeframe is an outer limit, encouraging covered entities to provide access as soon as possible (supported further by the information blocking rule under the 21st Century Cures Act). In 2019, OCR launched its Right of Access Initiative, which focuses enforcement efforts on the provision of access in a timely manner and at a reasonable cost. OCR emphasizes that its Right of Access Initiative is a continued enforcement priority, and its 50th and 51st Right of Access Initiative enforcement efforts serve to remind health care providers of the need for compliant processes for the provision of PHI access to patients and/or their personal representatives.
Gums Dental Care Enforcement Action
OCR imposed a $70,000 CMP against Gums Dental Care, a solo Maryland dental practice, for its failure to provide a patient with timely access to the patient’s records, as well as those of the patient’s children.
The patient submitted written requests for such records in April 2019 and again in June 2019. Gums Dental Care did not respond to requests for these records until May 2022 following OCR’s Notice of Proposed Determination, outlining its intent to pursue a CMP.
The patient submitted a complaint to OCR in May 2019; OCR reached out to the practice to provide technical assistance and closed the complaint. Ignoring the technical assistance, Gums Dental Care did not provide the records, and the patient filed a second complaint with OCR in August 2019. OCR opened an investigation, but Gums Dental Care did not respond to OCR’s data request. OCR followed up with two phone calls and sent a copy of the data request via certified mail. After receipt of OCR’s proposed resolution agreement and corrective action plan, Gums Dental Care emailed OCR, informing them that the records were not sent because the patient refused to pay the practice’s flat fee to have the records mailed via certified mail. The practice also informed OCR that it believed the patient intended to use the records to commit insurance fraud.
In March 2022, OCR issued a Notice of Proposed Determination seeking to impose a $70,000 CMP against Gums Dental Care. OCR stated that, while the Privacy Rule permits covered entities to charge reasonable, cost-based fees to cover certain limited labor, supply, and postage costs that may apply in providing requesting individuals with their records, a flat fee for sending documents via certified mail was impermissible because the complainant requested that the records be sent via email. While Gums Dental Care argued that it did not have a secure means to transmit the records electronically, OCR referenced the practice’s obligation to provide the records in an alternate form and format, which it failed to do. OCR also clarified that a covered entity may not require an individual to provide a reason for requesting access to records, and the individual’s reasons for requesting access is not a valid reason to deny access.
Gums Dental Care did not provide evidence of mitigating factors, affirmative defenses, or evidence to support a CMP waiver. However, OCR reviewed publicly available information to determine that Gums Dental Care is a solo practitioner and that the maximum CMP would be likely to impact its ability to provide services. It also considered the potential impact of the COVID-19 public health emergency on the practice and reduced the CMP from $7,676,692 (due to a finding of uncorrected willful neglect) to $70,000. Notably, OCR cited how the practice ignored OCR’s technical assistance, as well as the two data request letters.
In contrast to the enforcement action against Rio Hondo, Gums Dental Care requested a hearing before an administrative law judge. The judge agreed with OCR and imposed the $70,000 CMP. Gums Dental Care appealed the decision; however, the decision was affirmed, and OCR imposed the $70,000 CMP against the dental practice.
Rio Hondo Enforcement Action
OCR imposed a $100,000 CMP against Rio Hondo for its failure to provide a patient with timely access to medical records following multiple written and telephone requests.
On March 18, 2020, the patient submitted a valid medical records request using Rio Hondo’s paper request form. The clinic validated the requestor’s identity via her driver’s license. While Rio Hondo acknowledged receipt of the request, California’s “stay-at-home” order was issued the following day, and staff at the facility began working remotely. Certain staff began returning in May 2020, and, while the clinic informed the requestor that she could pick up her records on a particular date, they were not ready. After multiple additional attempts to gain access to her records, the patient filed a complaint with OCR on August 21, 2020. After OCR initiated an investigation, Rio Hondo sent individual her records on October 20, 2020.
In an August 31, 2022 letter, OCR provided Rio Hondo with the opportunity to settle the manner informally, which did not occur. OCR then issued a February 3, 2023, Letter of Opportunity. Rio Hondo responded to OCR’s Letter of Opportunity, but OCR determined that their arguments did not support an affirmative defense or a waiver of the CMP. Rio Hondo also did not raise any mitigating factors.
OCR issued a Notice of Proposed Determination seeking to impose a $100,000 CMP against Rio Hondo on July 16, 2024. In its July 25, 2024, letter to OCR, Rio Hondo waived its right to a hearing did not contest OCR’s Notice of Proposed Determination, and said that it would pay the $100,000 CMP.
Takeaways
The Right of Access Initiative continues to be an active area of enforcement for OCR. While the majority of Right of Access Initiative enforcement actions involve financial settlements and corresponding CAPs, OCR has shown its willingness to pursue CMPs. However, in each of these enforcement actions, OCR offered the healthcare provider an opportunity to potentially avoid a financial penalty or CMP, and neither provider took advantage of that opportunity. Gums Dental Care did not follow OCR’s technical assistance and ignored its data request. Rio Hondo did not take advantage of the opportunity to settle the matter informally with OCR. In addition to CMPs, for Gums Dental Care, its administrative hearing and subsequent appeal of that outcome likely required significant personnel and legal resources. Covered entities and business associates should strongly consider devoting their time and resources to cooperating with OCR during the initial communication stages to correct any noncompliance and to potentially avoid CMPs or financial settlements.
As with past Right of Access Initiative enforcement, OCR highlighted the length of time it took for each patient to receive their records. In the Rio Hondo matter, OCR acknowledged that only one individual was impacted, but cited the “lengthy duration of time” (156 days) before the patient received the records. OCR also discusses the more than three (3) years it took Gums Dental Care to provide records access to the individual. Covered entities should ensure that their administrative and support staff are properly trained on how to timely respond to requests from patients or their personal representatives, even during unprecedented times, such as those experienced during the COVID-19 pandemic. Training also should highlight the priority that should be given to any outreach from OCR to ensure that it receives immediate attention.
Covered entities also must analyze what they may and may not charge to provide access to PHI. Reviewing the entity’s fee requirements to ensure compliance is a somewhat easy step that may prevent a future complaint or OCR investigation. Similarly, covered entities and business associates must understand that they cannot require requesting individuals to provide the reason for records requests, nor can they deny access to records based on any reason offered by the requesting individual.