On October 21, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a civil monetary penalty (“CMP”) of $70,000 against a solo dental practice that provides family dental care, Gums Dental Care, LLC (“GDC”), based on a complaint that GDC failed to provide a patient with timely access to their medical records. In this instance, according to OCR, the complainant refused to pay the $25.00 fee requested by GDC for dental records.
What You Need to Know:
- Patients are entitled to timely access to copies of their dental and medical records under HIPAA.
- OCR will enforce patient rights through the Right of Access initiative.
- HIPAA-covered entities should review their policies and procedures to confirm processes to ensure timely access for individuals to copies of their dental and medical records.
The OCR Right of Access initiative requires that individuals (or their personal representatives) be given timely access (within 30 days, with the opportunity for a 30-day extension) for a reasonable cost-based fee to their health information. This is the 50th HIPAA Right of Access enforcement action. We have written previously about the OCR Right of Access Initiative, including here, here and here.
OCR initially received a complaint alleging that GDC had failed to provide the complainant access to her and her children’s medical records. In response to the complaint, OCR sent a technical assistance letter notifying GDC of its obligation to respond to requests pursuant to 45 CFR 164.524 and closed the complaint. OCR’s letter encouraged GDC to share the technical assistance materials with its staff as part of its HIPAA workforce training and to take any steps necessary to ensure noncompliance does not occur in the future. OCR notified GDC that should it receive a similar allegation of noncompliance against it in the future, OCR may initiate a formal investigation of that matter.
Shortly thereafter, the complainant filed a second complaint alleging GDC had still not provided complainant with access to the requested records. OCR commenced an investigation and concluded that GDC failed to take timely action in response to the patient’s right of access request. OCR noted that the complainant submitted written requests for the dental records in April 2019, and again in June 2019, but GDC did not attempt to provide the records until May 2022.
In October 2020, GDC sent an email to OCR stating its justification for not providing the medical records to the complainant, asserting that the complainant refused to pay a flat fee of $25.00 to have the medical records mailed certified to the complainant. GDC also informed OCR that it believed the complainant would use the requested records to commit insurance fraud.
OCR noted that a HIPAA-covered entity may charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. In this instance, the complainant requested that the medical records be sent electronically via email and therefore OCR noted a $25.00 administrative flat fee to mail the records via certified mail would not be permissible for providing access under the Privacy Rule.
In determining the amount of the CMP against GDC, OCR considered the following factors:
- The nature and extent of the harm resulting from the violation. OCR noted that GDC refused to schedule the complainant’s husband for a dental appointment due to the pending OCR complaint, and that her family is being denied access to medical care.
- The nature and extent of the violation. GDC failed to comply with complainant’s multiple requests for access to her and her children’s medical records, failed to remedy the potential violation when it was brought to GDC’s attention through the technical assistance letter and, according to OCR, GDC had not provided the requested records or provided any evidence of implementing corrective actions to prevent this type of violation from occurring in the future.
- GDC’s history of HIPAA compliance. The incidents with this one patient/family were OCR’s only evidence of noncompliance.
- GDC’s financial condition. Even though GDC is a solo provider, GDC elected to not cooperate with the OCR investigation relating to its financial condition.
OCR noted the violations ran from August 26, 2019, to March 29, 2022, and proposed daily penalty of $63,973 because of GDC’s willful neglect. However, OCR noted, “The imposition of the maximum CMP would likely impact the ability of [GDC] to provide dental care to its service area. Additionally, given the potential impact of the COVID-19 public health emergency on [GDC], OCR is using the discretion contemplated by 45 C.F.R. § 160.408(d) and (e), to impose a reduced CMP of $70,000.”
In March 2022, OCR issued a Notice of Proposed Determination (“NPD”) seeking to impose a $70,000 civil monetary penalty. GDC challenged the NPD and requested a hearing before an Administrative Law Judge (ALJ). In September 2023, the ALJ imposed a $70,000 CMP. GDC appealed the decision, and in March 2024, the HHS Departmental Appeals Board affirmed the decision, and OCR imposed the $70,000 CMP in a Notice of Final Determination.
A copy of the NPD is here.
This GDC matter took more than five years to resolve. Undoubtably it was a very costly endeavor, especially when considering GDC had requested a $25 payment for the dental records.
OCR has been aggressive in enforcing individuals’ rights pursuant to the right of access initiative. HIPAA-covered entities should confirm that their policies and procedures provide for timely access to records when requested by an individual and that there is an internal mechanism to ensure compliance. It is much easier and more cost effective to timely reply to a request for records from an individual than to engage with OCR for an extended period of time and potentially face an expensive civil monetary penalty as was the result for GDC.
