OCR Imposes $70,000 CMP on Maryland Dental Practice for HIPAA Right of Access Violation
The HHS’ Office for Civil Rights (OCR) has imposed a $70,000 civil monetary penalty on a Maryland dental practice for failing to provide a patient with timely access to her dental records and those of her children.
The enforcement action stemmed from a complaint from a patient of Gums Dental Care in Silver Springs, Maryland on May 1, 2019. The complainant alleged she had not been provided with her and her children’s records, despite submitting a request for an electronic copy of the records on or around April 8, 2019. The dental practice responded to the email but did not provide the requested records.
OCR provided technical assistance to Gums Dental Care on May 7, 2019, regarding compliance with the HIPAA Right of Access and closed the case. The complainant sent a further request for the records on June 26, 2019, asking again for an electronic copy via email or a paper copy of the records. OCR received a second complaint on August 2, 2019, as the requested records had still not been provided. OCR reopened the case and informed Gums Dental Care about the second complaint, issuing a data access request as part of a formal investigation. OCR did not receive a response to the request nor to two subsequent phone requests and issued a proposed resolution agreement and a corrective action plan.
Practice owner Dr. Anna Gumbs responded and informed OCR that the reason the requested records had not been provided was that the patient had refused to pay a $25 administration fee to have the records sent by certified mail. Dr. Gumbs said records could not be provided securely via email due to technical limitations. Dr. Gumbs also told OCR that the request had been denied because the patient was planning to use the records to make a fraudulent claim with a secondary insurance provider. The dental services had already been fully covered by Maryland Medicaid.
HIPAA-covered entities are permitted to charge patients a reasonable, cost-based fee for providing a copy of the requested records; however, in this case, OCR determined that the fee was not reasonable or appropriate as the patient had requested the records be sent via email. The denial of a HIPAA Right of Access request was not permitted under the HIPAA Privacy Rule, as there is no exception for denying a request to prevent fraudulent use of the records, even if a patient voluntarily discloses the reason for the records request or if a HIPAA-covered entity otherwise knows the reason for the request.
Dr. Gumb challenged OCR’s Notice of Proposed Determination and requested a hearing before an Administrative Law Judge (ALJ), who imposed a $70,000 civil monetary penalty. The ALJ’s decision was appealed, but the Departmental Appeals Board affirmed the decision and the $70,000 penalty stands. The fine brings the total collections from OCR’s HIPAA enforcement actions up to $6,415,200 this year.
“An essential hallmark of HIPAA is the right to patients’ timely access to their medical records. Patients should not have to make multiple requests and file complaints with HHS’ Office for Civil Rights to get their own medical records,” said OCR Director Melanie Fontes Rainer. “This investigation marks OCR’s 50th right of access enforcement action. Health care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”
