Eye-popping fines over violations of the right of access portion of the federal HIPAA healthcare law aren’t exactly common, and a recent slate of fines and settlements show that most healthcare providers can avoid six-figure penalties by simply trying to do the right thing.
The Department of Health and Human Services Office for Civil Rights (OCR) announced 11 enforcement actions against healthcare providers across the country for alleged violations of the HIPAA privacy rule right of access provisions in June 2022.
Buried within the various resolutions and corrective action plans were notices of proposed determination and final determination for ACPM Podiatry Group and Dr. Anthony DeCeanne. The practice was hit with a $100,000 civil monetary penalty (CMP). The maximum CMP amount that could have been imposed on ACPM with regard to the violation described is about $3.6 million.
One mitigating factor mentioned in the determination was the global pandemic and its effect on healthcare operations. How much of a role did that play in OCR’s CMP decision?
Following the facts
Based on the Findings of Facts outlined by OCR, ACPM’s actions appear to have clearly violated the right of access provisions of the HIPAA privacy rule.
The original request for records was submitted in writing by a former ACPM patient Nov. 13, 2018. The patient filed a complaint with OCR in April 2019.
OCR notified the former patient by letter dated April 18, 2019, that the investigation had been informally closed by providing technical assistance to ACPM. The letter directed the complainant to contact OCR if he continued to experience the issues described in his complaint.
On May 19, 2019, OCR received a second complaint from the complainant alleging that ACPM still had not provided him with a copy of his medical records. Reasons given by the practice for not releasing the records included lack of time due to scheduled surgeries and non-payment for services by the patient’s insurance company.
The patient stated that he needed the requested medical records to appeal an unfavorable decision made by his health insurance company for the payment of a bill related to treatment provided by ACPM. The deadline to appeal his health insurance company’s determination was July 2, 2019.
On June 14, 2019, OCR notified ACPM in writing by certified mail of the May 2019 complaint and issued a data request. The data request included a request for information from ACPM, including whether ACPM provided the complainant with the requested medical records and a copy of ACPM’s policy regarding providing access to medical records.
OCR requested that ACPM respond to OCR’s data request letter by June 29, 2019. ACPM did not respond to the data request by that date. The practice also did not respond to requests by OCR investigators for information and cooperation on multiple occasions.
The patient notified OCR that he had received an incomplete copy of his medical records July 23, 2020, 618 days after the initial written request and after the deadline to appeal the insurance company’s determination.
A failure to communicate
One key fact that stands out from the information contained in the notice of final determination is that there was very little communication between ACPM and OCR and its investigators. Take a look at the documented efforts to communicate by OCR.
Date | Action | Response |
4/8/2019 | Technical assistance letter sent to ACPM | No response |
6/14/2019 | Letter sent to ACPM with a request for data response | No response |
7/2/2019 | Follow-up call to ACPM by OCR | Employee acknowledged receipt of letter |
7/9/2019 | Second call to ACPM by OCR | Employee acknowledged receipt of letter |
7/19/2019 | Certified letter sent to ACPM requesting information data response and instructing them to contact the assigned investigator | No response |
11/9/2020 | Email and certified letter of opportunity sent by OCR with a 10-day deadline to respond | Delivery receipt received. No response |
As of July 13, ACPM has not responded to OCR’s efforts to communicate. The agency was forced to use records of Medicare payments to the practice from 2014-20 to determine its financial condition.
The Covid factor
While the provider failed to communicate in any way with OCR, the office did include the following comment in the factors considered to determine the amount of the CMP:
“While ACPM did not provide any evidence of mitigating factors for OCR to consider in proposing a CMP, OCR also considered the impact of the COVID-19 public health emergency on the health care industry; OCR is using the discretion contemplated by 45 C.F.R. § 160.408 (d) and (e), to propose a reduced CMP of $100,000.”
Federal code 45 C.F.R. § 160.408 (d) and (e) give wide latitude to OCR when setting CMPs. These factors can include the history of prior compliance, the number of individuals affected, the financial condition of the organization being investigated, and the catch-all phrase, “Such other matters as justice may require.”
How does this fine compare?
William Roberts, a data privacy and cybersecurity attorney with Day Pitney in the firm’s Hartford, Connecticut office, has worked with clients facing OCR investigations and isn’t surprised by the outcome of this case.
“This enforcement action is a good reminder that a primary goal of OCR is ensuring providers, particularly small providers like this, have the tools and knowledge necessary to comply with HIPAA and ensure that their patients’ rights are satisfied,” Roberts said.
“At least initially, the goal here wasn’t to punish the practice but to help the practice help its patient. This enforcement action is yet another reminder that OCR continues to be very focused on HIPAA’s right of access. All providers must ensure that they are familiar with HIPAA’s right of access rules and have procedures in place to comply.”
Two settlements that seem to illustrate this point were announced on the same day as the ACPM notice. Coastal Ear Nose and Throat (ENT) in Florida failed to respond to multiple requests for records from a patient, and Danbury Psychiatric Consultants (DPC) in Massachusetts failed to respond in a timely manner and withheld access to records on the basis that the patient had an outstanding balance.
Both organizations reached a settlement with OCR that includes a corrective action plan to address issues discovered during the investigation, including training of employees. In addition, Coastal also agreed to pay $20,000 to OCR, while DPS agreed to a $3,500 settlement.
The most recent case with solid similarities to ACPM is that of Dr. Robert Glaser, a Long Island cardiologist. In a statement at the time, HHS noted that Glaser “did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.”
While some of the details of both cases seem interchangeable, Roberts cautions other practitioners from using either as a role model.
“What was probably most frustrating to OCR is that the practice apparently didn’t show a good-faith effort to comply with HIPAA or cooperate with OCR,” Roberts said.
“For the most part, OCR is not an unreasonable agency, but when you ignore them and don’t take HIPAA seriously, you shouldn’t be surprised when a six-figure penalty is issued. Federal investigations into potential violations of law are serious matters and should be treated as such.”