Introduction
On October 17, 2024, the Office for Civil Rights (OCR) announced a civil monetary penalty against a Maryland-based dental practice for failure to provide a patient with timely access to their medical records1. This settlement marks the 50th right of access case settled by the OCR, indicating that they have no intention of slowing down enforcement of a patient's right of access. This case concerns Gums Dental Care, LLC (Gums Dental), and presents several opportunities for professionals in Health Insurance Portability and Accountability Act (HIPAA) Privacy and Compliance to gain valuable insights into responding not only to a patient's request for access to their medical records, but also in responding to the government when they come knocking.
Background
To understand why Gums Dental received a $70,000 civil monetary penalty, reviewing the basic timeline of events is an important first step. The process began in April 2019, when the patient made a written request to Gums Dental for copies of her protected health information (PHI) and the PHI of her minor children. Gums Dental provided information on how many times each of them visited the office, but no other information was originally requested. On May 1, 2019, the OCR received a complaint from the patient. On May 7, 2019, the OCR provided technical assistance and informed Gums Dental of their obligation to respond to the request. Following this assistance, the individual resubmitted their request to Gums Dental but again did not receive the requested records. Shortly thereafter, the individual submitted a second complaint to the OCR. By September 2019, the OCR issued a data request letter to Gums Dental, requesting data that included whether the individual received access to her and her children's medical records and a copy of Gums Dental's policy on providing individuals with access to medical records. Gums Dental did not respond to the data request letter. The OCR followed up on their data request twice and then sent a second copy of the data request letter via certified mail. Again, the OCR received no response. Roughly one year later, on October 1, 2020, the OCR sent a proposed resolution agreement and corrective action plan to Gums Dental to resolve the potential HIPAA right of access violation. On October 22, 2020 Dr. Anna Gumbs of Gums Dental emailed the OCR, justifying her refusal to provide the medical records to the complainant by asserting that the individual refused to pay a flat fee of $25 to have the records sent via certified mail. Dr. Gumbs later requested to present her case before a judge, reiterating that the requesting individual refused to pay the $25 fee. She also claimed that she believed the individual intended to resubmit claims to a secondary insurance provider for services covered under Maryland Medicaid, in an attempt to commit insurance fraud. The OCR ultimately issued a Letter of Opportunity to Gums Dental, outlining their failure to comply with the Privacy Rule. Gums Dental responded to the Letter of Opportunity, again stating their rationale for not responding to the patient's request. According to the OCR, Gums Dental's response did not provide any evidence of mitigating factors or affirmative defenses under 45 C.F.R. § 160.408 or 45 C.F.R. § 160.410, respectively. Considering the above, the OCR announced the civil monetary penalty on October 17, 20242.
What could Gums Dental have done?
Gums Dental could have:
- Adequately responded to the patient's request for her and
her children's medical records by providing all requested
information.
- Individuals have the right to inspect and obtain a copy of their PHI if it is maintained in the designated record set and is not otherwise subject to an exception.
- Provided the requested information within the response times that are permitted by the Privacy Rule and Maryland state law3.
- Adequately implemented the May 2019 technical assistance letter
and responded to the OCR's September and November 2019 data
requests.
- The OCR cited the lack of response to communications as a factor that influenced the amount of the civil monetary penalty.
- Billed an appropriate fee for the electronic copy of the
patient's PHI.
- The Department of Health and Human Services has provided guidance that, in the case of requests for an electronic copy of PHI maintained electronically, flat fees are not to exceed $6.504.
Takeaways
There are tangible ways to avoid a similar outcome:
- Respond to patient's requests for access in a timely
manner, whether the request is accepted or denied.
- The Privacy Rule allows covered entities up to 30 days to respond to a request for access and permits a 30-day extension if necessary5.
- HIPAA Privacy professionals should also be aware of any relevant state laws that may be more restrictive than the Privacy Rule.
- Document a policy and standard operating procedure to respond
to any patient request for access. This process should include
understanding the intricacies of responding to requests by parents,
legal guardians, and individuals who are acting on behalf of a
patient.
- An Authorization under HIPAA is not required to be completed when the request is a right of access request.
- Understand what format in which the records are being
requested.
- The Privacy Rule states that if a covered entity grants access, it must provide access in the form and format requested by the individual.
- Understand that reasonable, cost-based fees can be charged by a covered entity. This fee may include costs for copying, supplies, postage, and preparing an explanation or summary if agreed to by the individual. Such fees are limited for providing electronic copies of records that are maintained electronically.
- When the OCR comes knocking, answer the door. Failure to do so can result in increased risk, reputational damage and even more severe monetary penalties, as demonstrated above.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.