OCR Announces 50th HIPAA Right of Access Penalty
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 9th financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. A civil monetary penalty of $70,000 has been imposed on the Silver Spring, MD, dental practice Gums Dental Care for failing to provide a patient with timely access to her and her children’s medical records. This is the 50th HIPAA Right of Access enforcement action to result in a financial penalty since OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019.
The complainant sent a written request to Gums Dental Care on or around April 8, 2019, requesting copies of her protected health Information (PHI) and the PHI of her children. She requested the records be sent to her electronically via email and received a reply the same day confirming how many times each of them had visited the dental practice but was not provided with the requested records. She filed a complaint with OCR on May 1, 2019, after no records had been received. OCR provided technical assistance to Gums Dental Care on May 7, 2019, on the HIPAA Right of Access and closed the case.
The technical assistance encouraged Gums Dental Care to share the technical assistance material with its staff, assess and determine whether the complainant’s claim was factual, and provide the requested records to the complainant swiftly if it was appropriate to do so. Gums Dental Care was also informed that if OCR received a further complaint, a formal investigation may be launched. The complainant filed another request with Gums Dental Care on June 26, 2019, via email and stated that she would accept emailed records or a paper copy in the mail; however, no records were received. A second complaint was filed with OCR on August 2, 2019, and the complainant made a third request to Gums Dental Care for the records on August 26, 2019.
OCR notified Gums Dental Care about the second complaint and issued a data request letter on September 5, 2019, but did not receive a response to that request. OCR did receive a response to the proposed resolution agreement and corrective action plan. Practice owner Dr. Anna Gumbs responded and stated that the requested records were not provided because the complainant refused to pay an administration fee of $25 to have the records sent by certified mail. She also stated that it was her belief that the complainant would use the records to commit insurance fraud – resubmitting claims to a secondary insurance provider for services that were fully covered under Maryland Medicaid.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While HIPAA-covered entities are permitted to charge a reasonable, cost-based fee for certain labor, supply, and postage costs, the $25 fee was inappropriate as the complainant had requested the records be sent via email. OCR also confirmed that even if the complainant had voluntarily stated she intended to commit insurance fraud or if intended fraud was otherwise known to the practice, it is not a valid exception under the HIPAA Privacy Rule and cannot be the basis of a denial of a Right of Access request.
Gums Dental Care was informed of the decision to impose a civil monetary penalty for a violation of the HIPAA Right of Access and was given the opportunity to submit evidence to support a waiver of the penalty. Dr. Gumbs stated that she was attempting to prevent insurance fraud and could not send records via email as she did not have a secure website with adequate safeguards to ensure the secure delivery of the medical records.
“Gums Dental’s assertion that they do not have a secure website, and therefore could not provide the requested records by email does not relieve Gums Dental [from] the right of access requirement to provide the Complainant with the requested records,” explained OCR. “There was no evidence provided that Gums Dental attempted to provide the records in any other alternate form and format. Rather, Gums Dental failed to provide the records at all.” A financial penalty of $70,000 was calculated and approved by the Attorney General of the United States.
Dr. Gumb challenged OCR’s Notice of Proposed Determination and requested a hearing before a judge; however, the judge agreed with OCR’s determination and imposed a $70,000 civil monetary penalty. Dr. Gumb appealed the judge’s decision but was unsuccessful. The Departmental Appeals Board affirmed the judge’s decision and OCR imposed the $70,000 penalty.
