On November 30, 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of five HIPAA right of access investigations. OCR settled four right of access complaints, with providers in Ohio, Colorado, Oregon and North Carolina. OCR imposed a civil monetary penalty (CMP) on a fifth provider, a cardiologist in Long Island (New Hyde Park), New York. OCR imposed a penalty on this provider, instead of settling, because of the provider’s failure to cooperate with OCR over a multi-year investigation. Providers are required under the HIPAA Privacy Rule’s right of access standard to provide patients with timely access (within 30 days of a request) to their medical records. The details of each HIPAA right of access complaint, and their resolutions are provided below.
The Four HIPAA Right of Access Complaints Settlements
Advanced Spine and Pain Management
Advanced Spine & Pain Management (ASPM) located in Cincinnati and Springboro, Ohio, is a provider of chronic pain management and treatment services. In November of 2021, an ASPM patient filed a complaint with OCR, alleging that ASPM had not provided him with timely access to his PHI. HHS then investigated. During the investigation, ASPM acknowledged that it received the patient’s request on the date the patient sent it. However, ASPM did not send the requested PHI until four months later. As a result, to avoid incurring a Privacy Rule right of access civil monetary penalty, ASPM entered into a resolution agreement with OCR. Under the terms of the agreement, ASPM has agreed to pay OCR $32,150, and to submit to a two-year corrective action plan (CAP).
Denver Retina Center (DRC)
Denver Retina Center provides retinal ophthalmology services in Glendale, Colorado. A DRC patient filed a complaint with OCR in the summer of 2019, alleging that DRC ignored her December, 2018 request for access to her medical records. In her complaint, the patient noted that she previously filed a complaint, in March of 2018, alleging an earlier right of access violation. OCR closed out that complaint by providing technical assistance to DRC. In response to the July 2019 investigation, DRC admitted that it was late in responding to the complaint – by almost seven months. DRC appears to have turned a blind eye to fully cooperating with OCR, as it failed to simply confirm the date of the December, 2018 request. OCR, upon investigation, concluded that DRC failed to have sufficient written policies and procedures related to providing timely access to PHI under the right of access standard. To illuminate the importance of the right of access, OCR entered into a resolution agreement with DRC. Under the agreement, DRC must pay $30,000 to HHS and undergo a two-year corrective action plan.
Rainrock Treatment Center
Rainrock Treatment Center, LLC, doing business as Monte Nido Rain Rock (“Monte Nido”), is a licensed provider of residential eating disorder treatment services in Eugene, Oregon. Monte Nido and its affiliates provide residential and intensive outpatient eating disorder and exercise addiction treatment programs, located in California, Oregon, New York, Massachusetts, and Pennsylvania. Between December of 2019 and February of 2020, OCR received three complaints from a Monte Nido patient. The complaints alleged that Monte Nido failed to provide the patient with her medical records after she requested these records in October and then again in November of 2019. Monte Nido finally forwarded the records in late May of 2020. HHS, as part of a resolution agreement settling the potential right of access violation, has agreed to accept a $160,000 resolution amount from Monte Nido, which has also agreed to comply with a one-year CAP.
Wake Health Medical Group
Wake Health Medical Group (Wake) is a small practice in Raleigh, North Carolina. Wake offers primary care services. Wake also offers cosmetic full body skin exams, biopsy, massage, and laser treatment services. In late June of 2019, a Wake patient requested a copy of her medical records, for which Wake charged $25. OCR, upon the patient’s complaint alleging failure to provide the records, learned that Wake charges all of its patients a flat fee of $25 for a copy of their medical records. HHS’ investigation indicated that Wake failed to provide timely access to PHI – in this case, no access, even after receiving $25. HHS and Wake agreed to resolve the patient’s complaint. Under the Resolution Agreement, Wake has agreed to pay $10,000 to HHS, and to enter into a two-year CAP. Under the CAP, Wake must develop policies and procedures to address the Privacy Rule right of access standard. In these policies and procedures, on which Wake must train its employees, Wake must, per OCR instruction, identify its methods for calculating a reasonable-cost based fee for access to PHI. The charge of $25 is a stretch under HIPAA. Under the right of access standard, a flat, $25 fee untethered to the actual costs of labor for copying, supplies, postage, and preparation of any requested PHI explanation or summary, is impermissible (so is taking the money and not providing the records).
The Fifth HIPAA Right of Access Complaint: Dr. Robert Glaser
Dr. Robert Glaser owns and operates a cardiology practice in New Hyde Park, New York, on the north shore of Long Island. The facts of this case are, one can hope, extraordinary. The determination in this case is a civil monetary penalty (CMP) of $100,000. OCR’s Notice of Final Determination imposing that penalty contains three pages of “Findings of Fact,” recounting the non-responsiveness of Dr. Glaser to both a former patient’s request for PHI and to OCR’s investigations of the complaint.
The OCR webpage announcing the five complaint resolutions summarizes the Dr. Glaser matter succinctly: “Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.” A former Dr. Glaser patient filed a complaint in 2017 over Dr. Glaser’s failure to respond to his verbal and written requests for access to his medical records from 2013 to 2014. OCR then closed out the complaint, reminding Dr. Glaser to provide access to the requests that met the requirements of the right of access standard.
(The obligations of the patient under the standard are not exactly exacting. Under the right of access standard, a provider must permit an individual to request access to inspect or to obtain a copy of his or her PHI contained in a designated record set. The provider may require that the request be in writing, as long as the provider lets the individual know of any such requirement in advance.)
Dr. Glaser did not provide the records. By the end of December of 2018, OCR had contacted Dr. Glaser’s office once by fax, twice in writing, and three times by phone, of his obligations both to comply with the right of access standard and to respond to OCR’s unanswered inquiries about that compliance.
In April of 2019, OCR requested that Dr. Glaser provide a written response to the complaint; a copy of his office policies and procedures on the right of access standard; a copy of his Notice of Privacy Practice, and documentary assurance that workforce members were provided with training on these policies and procedures. OCR also requested a copy of Dr. Glaser’s most recent quarterly balance sheet, income statement, and cash flows, as well as a copy of the most recent full-year audited financial statements, and copy of his most recent tax returns. Dr. Glaser ignored the communication. He also ignored a subsequent September, 2019 proposed resolution agreement and CAP. OCR gave Dr. Glaser’s office one more chance to voluntarily resolve the matter by signing the proposed resolution agreement and corrective action plan, and by paying the resolution amount of $100,000. Dr. Glaser did not respond.
Because Dr. Glaser also failed to respond to OCR’s November, 2019 Letter of Opportunity that gave him the option to submit written evidence of mitigating factors to the noncompliance, OCR, with the U.S. Attorney General’s authorization, imposed the $100,000 civil monetary penalty in May of 2021. OCR issued the penalty for Dr. Glaser’s willful neglect of his HIPAA obligations. OCR found that this neglect continued from February 13, 2018, through the end of 2020. The Notice of Final Determination – the May, 2021 letter imposing the penalty – makes no mention of Dr. Glaser ever having provided the record.
When OCR sat down to determine the amount of the penalty to assess, the daily penalty amount for a willful neglect violation was a little over $59,522 per day. An ongoing violation continuing for over 800 days might have merited a hefty fine, all other things being equal. However, HIPAA regulations authorize HHS to take an entity’s financial condition into account when imposing a CMP. Under the same regulations, OCR may, in its discretion, impose less than the maximum fine if OCR finds that the maximum fine would likely impact the ability of a provider to continue to operate. Through public information and public record, OCR learned that Dr. Glaser was a solo practitioner. OCR, when imposing the CMP, exercised its discretion to limit the fine to $100,000.
In announcing the five resolutions, OCR Director Lisa J. Pino noted, lest one get the idea that noncompliance is rewarded by getting a discount, “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”