Podiatry HIPAA Fine

On Friday afternoon, July 15, 2022, the Department of Health and Human Services Office for Civil Rights announced 11 enforcement actions against healthcare providers across the country for alleged violations of the HIPAA Privacy Rule right of access provisions.

Buried within the various resolutions and corrective action plans were notices of proposed determination and final determination for ACPM Podiatry Group Ltd. and Dr. Anthony DeCeanne. The practice was hit with a $100,000 civil monetary penalty (CMP). The maximum CMP amount that could have been imposed on ACPM with regard to the violation described is $3,571,302. 

One mitigating factor mentioned in the determination was the global pandemic and its effect on healthcare operations. How much of a role did that play in OCR’s CMP decision?

Following the Facts

Based on the Findings of Facts outlined by OCR, ACPM’s actions appear to have clearly violated the right of access provisions of the HIPAA Privacy Rule.

The original request for records was submitted in writing by a former ACPM patient on November 13, 2018. The patient filed a complaint with OCR in April 2019.

OCR notified the former patient by letter dated April 18, 2019, that the investigation had been informally closed by providing technical assistance to ACPM. The letter directed the Complainant to contact OCR if he continued to experience the issues described in his complaint.   

On May 19, 2019, OCR received a second complaint from the Complainant alleging that ACPM still had not provided him with a copy of his medical records. Reasons given by the practice for not releasing the records included lack of time due to scheduled surgeries and non-payment for services by the patient’s insurance company.

The patient stated that he needed the requested medical records to appeal an unfavorable decision made by his health insurance company for the payment of a bill related to treatment provided by ACPM. The deadline to appeal his health insurance company’s determination was July 2, 2019.

On June 14, 2019, OCR notified ACPM in writing by certified mail of the May 19, 2019 complaint and issued a data request. The data request included a request for information from ACPM, including whether ACPM provided the Complainant with the requested medical records and a copy of ACPM’s policy regarding providing access to medical records.

OCR requested that ACPM respond to OCR’s data request letter by June 29, 2019. ACPM did not respond to the data request by June 29, 2019. The practice also did not respond to requests by OCR investigators for information and cooperation on multiple occasions.

The patient notified OCR that he had received an incomplete copy of his medical records on July 23, 2020, 618 days after the initial written request and after the deadline to appeal the insurance company’s determination.

Let’s Simplify Compliance

Avoid HIPAA violation fines. Become compliant today!

Learn More!
HIPAA Seal of Compliance

A Failure to Communicate

One key fact that stands out from the information contained in the Notice of Final Determination is that there was very little communication between ACPM and OCR and its investigators. Take a look at the documented efforts to communicate by OCR.

  • 4/8/2019 – Technical Assistance Letter Sent to ACPM – No Response
  • 6/14/2019 – Letter Sent to ACPM with a request for data response – No Response
  • 7/2/2019 – Follow-up call to ACPM by OCR – Employee acknowledged receipt of letter
  • 7/9/2019 – 2nd Call to ACPM by OCR – Employee acknowledged receipt of letter
  • 7/19/2019 –  Certified letter sent to ACPM requesting information data response and instructing them to contact the assigned investigator – No Response
  • 11/9/2020 – Email and Certified Letter of Opportunity sent by OCR with a 10-day deadline to respond – Delivery Receipt Received.
    No Response

As of July 13, 2022, ACPM has not responded to OCR’s efforts to communicate. The agency was forced to use records of Medicare payments to the practice from 2014-2020 to determine its financial condition.

The COVID Factor

While the provider failed to communicate in any way with OCR, they did include the following comment in the Factors Considered to Determine the Amount of the CMP.

“While ACPM did not provide any evidence of mitigating factors for OCR to consider in proposing a CMP, OCR also considered the impact of the COVID-19 public health emergency on the health care industry; OCR is using the discretion contemplated by 45 C.F.R. § 160.408 (d) and (e), to propose a reduced CMP of $100,000.”

Federal code 45 C.F.R. § 160.408 (d) and (e) gives wide latitude to OCR when setting CMPs. These factors can include the history of prior compliance, the number of individuals affected, the financial condition of the organization being investigated, and the catch-all phrase, “Such other matters as justice may require.”

How Does This Fine Compare?

William Roberts is a data privacy and cybersecurity attorney with Day Pitney LLP law firm based out of the firm’s Hartford, Connecticut office. He’s worked with clients facing OCR investigations and isn’t surprised by the outcome of this case.

“This enforcement action is a good reminder that a primary goal of OCR is ensuring providers, particularly small providers like this, have the tools and knowledge necessary to comply with HIPAA and ensure that their patients’ rights are satisfied,” said Roberts. 

“At least initially, the goal here wasn’t to punish the practice but to help the practice help its patient. This enforcement action is yet another reminder that OCR continues to be very focused on HIPAA’s right of access. All providers mu