The number “50” represents significant milestones – birthdays, anniversaries, the years since events both tragic and inspiring. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) instituted a HIPAA “Right of Access” initiative in 2019. Through this initiative, HHS gives enforcement priority to patient complaints alleging a failure on the part of their providers to provide timely access to patient medical records. In October of 2024, OCR announced its own “50” milestone – its having brought its 50th right of access enforcement action under this HIPAA Privacy Rule initiative.
In 2019, a patient of Gums Dental Care (“Gums”), a solo Maryland dental practice, filed a complaint with OCR, alleging that Gums failed to provide her with timely access to her medical records. OCR subsequently investigated the complaint and concluded its investigation by imposing a $70,000 civil monetary penalty (CMP) for this dental right of access violation. The details of the right of access violation are provided below.
Right of Access Violation CMP: The Ask
In April of 2019, the patient requested that Gums provide her with electronically transmitted email copies of her PHI, as well as that of her minor children. Gums responded to the request the day it was made, in a manner of speaking.
Instead of providing the patient with the requested records as required by the HIPAA right of access rule, Gums provided the Complainant with a statement of….. how many times each family member had visited the office. HIPAA contains no “Right to a Statement of the Number of My Visits” Rule. (A patient can reasonably infer how many times she has treated with a provider by viewing the treatment records for each date treatment was provided.)
The Complainant then filed a complaint with OCR, alleging that Gums Dental failed to provide her with the requested PHI. OCR decided to pursue the complaint with a light touch, providing Gums with technical assistance and issuing a letter of closure in early May. In its letter of closure to Gums, OCR explained the right of access requirements. The letter of closure encouraged Gums to share the right of access explanatory materials with staff as part of its workforce training. OCR also encouraged Gums to take steps necessary to prevent future noncompliance. Finally, OCR also encouraged Gums to properly and timely respond to the Complainant’s (patient’s) outstanding request for access.
Right of Access Violation CMP: Not Without a Warning
In its letter of closure, OCR also notified Gums that if OCR were to receive a subsequent complaint against Gums alleging similar noncompliance, OCR might initiate a formal investigation of that complaint.
In the meantime, the Complainant, in June, made another written request for copies of the records, expressing a willingness to accept the records either by email or by snail mail. When the Complainant did not receive her records in response to request #2, she filed a second complaint with OCR, in August. Request #3 followed, in late August. Still no records.
In October, OCR issued a data request letter to Gums, requesting data on (1) whether the Complainant received the records; and (2) a copy of Gums’ right of access policy. Gums did not respond.
OCR subsequently submitted data requests again in October and November. Crickets. In October of 2020, a year later, OCR, not having a response to the data requests, issued a proposed resolution agreement and corrective action plan to Gums to resolve the potential right of access violation.
Right of Access Violation CMP: An Explanation, of Sorts
After receiving the proposed resolution agreement (proposing a monetary fine in addition to a corrective action plan), Gums broke its radio silence on October 22, 2020. Dr. Anna Gumbs replied to OCR, offering a justification as to why the practice did not provide the records. The justification: the Complainant allegedly refused to pay the $25.00 flat fee to have the records mailed “certified” to her.
The HIPAA right of access provision requires that if a covered entity denies the request, in whole or in part, it must provide the requesting individual with a written denial within 30 days of the request. Dr. Gumbs’ “she didn’t pay the flat fee” line, is not countenanced by the right of access rule. The right of access rule requires that a records fee be reasonable and cost-based, covering only certain limited labor, supply, and postage costs. A flat, $25 administrative fee to mail records via certified mail via the USPS is not “cost-based.”
Dr. Gumbs then offered additional, seemingly Dateline-style explanations for not providing the records: The Complainant, Dr. Gumbs alleged, was not entitled to the records because, Dr. Gumbs claimed, the Complainant would use the records to commit insurance fraud. The Complainant, Dr. Gumbs believed, wanted to resubmit claims to a secondary insurance for services that were fully covered under Maryland Medicaid. The problem with the skullduggery accusations: the right of access rule does not recognize these allegations as reasons to deny someone their medical records. And, even if the allegations were true, (1) a provider may not require someone to provide a reason for requesting access, and (2) a patient’s rationale for requesting access, if voluntarily offered or known by the covered entity, is not a permitted reason to deny access.
Right of Access Violation CMP: Endgame
In December of 2020, OCR then issued a Letter of Opportunity (“LOO,” giggle) to Gums, in which OCR indicated Gums had violated the Privacy Rule, and was subject to a potential right of access violation CMP. Through the letter, OCR gave Gums the opportunity to submit written evidence of mitigating factors. Instead of supplying what the law recognizes as mitigating factors, Gums doubled down on its noirish “insurance fraud” claim.
Gums also threw a curveball, noting in January of 2021 for the first time that it did not have a secure website to ensure the records could be delivered electronically with adequate safeguards (Reality: Even if the records could not be sent securely, Gums was required under the right of access rule to provide a readable hard copy of the records, or a copy in another form or format as agreed to by Gums and the Complainant. Gums made no effort to provide the records in any alternate form or format.)
As Gums did not provide evidence of mitigating factors, OCR then issued a Notice of Proposed Determination (Notice) to Gumb, seeking to impose a civil monetary penalty and corrective action plan. The notice recites a grace note of other potential noncompliance: The Notice indicates that on July 6, 2021, the Complainant spoke with OCR and reported that her husband had attempted to schedule a dental appointment with Gums Dental, but that Dr. Gumbs refused to schedule him for such an appointment due to the Complainant’s pending complaint with OCR. As a result of Complainant’s desire to access her family and her own medical records, the Complainant’s family was denied access to dental care. Denial of care in response to filing a complaint may constitute unlawful retaliation.
Gums Dental Care challenged OCR’s Notice of Proposed Determination and requested a hearing before an Administrative Law Judge (ALJ). On September 29, 2023, the ALJ imposed a $70,000 civil monetary penalty. Gums Dental Care appealed the decision, and on March 22, 2024, the Departmental Appeals Board affirmed the Decision: Gums must pay the right of access violation CMP.
In a press release accompanying the announcement of the CMP, OCR Director Melanie Fontes Rainer noted, “An essential hallmark of HIPAA is the right to patients’ timely access to their medical records. Patients should not have to make multiple requests and file complaints with HHS’ Office for Civil Rights to get their own medical records,” said OCR Director Melanie Fontes Rainer. “This investigation marks OCR’s 50th right of access enforcement action. Health care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”
