The ongoing enforcement effort from the HHS Office for Civil Rights (OCR) around the HIPAA right of access continues to run in full swing. The continuous enforcement actions reflect a number of different issues. One, organizations are still not appropriately responding to requests or implementing appropriate policies for responding. Two, OCR understands the reality of non-compliance and is attempting to drive better action on respecting rights under the regulations. Three, a murky situation is not clearing up despite heightened attention to the right of access.
The Latest Settlements
After a bit of a break (from early September to the end of November), OCR resolved five more instances of organizations not timely responding to or meeting the right of access contained in the HIPAA Privacy Rule. Can anything be learned from the typically sparse details contained in each settlement? That may be in the eye of the beholder, but an effort will at least be made.
- Advanced Spine and Pain Management (ASPM) – According to OCR, ASPM received a request from a patient for a copy of their records on November 25, 2019. ASPM did not send the request records until March 19, 2020. No other background is provided, but the delay of just under three months resulted in ASPM paying $32,150 to resolve the non-compliance. What else happened was going on with ASPM’s compliance program?
- Denver Retina Center (DRC) – The background facts provided in the DRC resolution are arguably among the most detail provided by OCR yet. A patient submitted a complaint to OCR about the delay in receiving records on June 24, 2019. The patient stated that a record request was submitting on December 2018. Of note, the patient stated to OCR that a prior complaint had been submitted to OCR on March 11, 2018 and the prior complaint was reportedly closed following technical assistance to DRC. Despite the earlier technical assistance, following an investigatory demand from OCR, DRC admitted to OCR that it was late in responding to the patient. DRC finally sent the requested records by FedEx on July 26, 2019 (a month after the complaint and a little over a week after the date of the investigatory demand). As a result of the investigatory demand, OCR determined that DRC did not have compliant policies and procedures governing its right of access process. Despite all of those issues, the settlement amount was only $30,000. Less than ASPM, which did not have the history of issues, at least according to the resolution agreement.
- Rainrock Treatment Center d/b/a Mone Nido Rainrock (Monte Nido) – A patient sent three separate complaints to OCR (December 4, 2019, January 28, 2020, and February 20, 2020) after Monte Ndio did not respond to access requests sent on October 1, 2019 and November 21, 2019. OCR stated that Monte Nido finally sent the records on May 22, 2020. No other information is provided. The delay translated to a settlement payment of $160,000.
- Wake Health Medical Group (WHMG) – A patient submitted a complaint on December 19, 2020 that WHMG had not yet responded to a request for records sent by the patient on June 27, 2019. The patient also reported having already paid a $25 fee imposed by WHMG. As part of its investigation, OCR spoke to a WHMG receptionist on April 15, 2021 and learned that WHMG charges all patients a flat fee of $25 to get a copy of their records. OCR also reported that as of the date of the settlement (no date is clearly stated, but the announcement occurred on November 30, 2021), that WHMG had yet to provide the patient with the requested records. Despite the ongoing non-compliance, WHMG only had to pay a resolution amount of $10,000.
- Dr. Robert Glaser (Dr. Glaser) – The fifth resolution announced by OCR on November 30, 2021 was actually the imposition of a civil monetary penalty of $100,000. The penalty was being imposed because no resolution had been mutually agreed upon. As the background will help demonstrate, Dr. Glaser did not participate in the investigation. The different regulatory approach resulted in a more detailed factual recitation. The tale provides a pretty good example of what not to do when being investigated by OCR:
- A former patient submitted a complaint to OCR on November 9, 2017 that Dr. Glaser failed to respond to multiple verbal and written requests for access across 2013 and 2014.
- OCR closed an investigation at that point on December 15, 2017 after advising Dr. Glaser to assess the patient’s complaint and determine if any non-compliance occurred as well as encouraging Dr. Glaser to provide the records if the requests met the requirements of the Privacy Rule. (The described response of OCR is why many patients feel that OCR did not take the right of access seriously enough until very recently. As OCR itself writes, Dr. Glaser was instructed to determine if he was not complying with HIPAA’s requirements and OCR did not even force the records to be produced at that time.)
- Unsurprisingly, the patient submitted a second complaint on March 20, 2018 that Dr. Glaser had still not sent the records. The patient even provided proof that the patient’s new dcotor sent unfulfilled requests for the records on May 28, 2017, June 28, 2017, and January 15, 2018.
- Finally taking some more serious action, OCR sent an investigative demand to Dr. Glaser on August 15, 2018. The demand sought fairly standard information about Dr. Glaser’s policies and procedures and training. The letter required a response within 14 days (also standard).
- On August 21, 2018, OCR called Dr. Glaser’s office to ask about the status of the response. Dr. Glaser’s office reported that no letter had been received. A copy was then faxed.
- After receiving no response, OCR called again on September 4, 2018 at which point OCR actually spoke to Dr. Glaser. An extension request until September 13, 2018 was granted. No response was sent.
- The lack of response by Dr. Glaser was the start of an ongoing pattern. OCR reached out to Dr. Glaser’s office by phone and mail repeatedly, including on September 27, 2018, December 7, 2018, April 5, 2019, and September 13, 2019. The final letter on September 13, 2019 informed Dr. Glaser that OCR’s investigation had been completed and a proposed resolution agreement was included.
- On September 18, 2019, Dr. Glaser’s office manager spoke to OCR’s regional office about the resolution agreement. The officer manager claimed that Dr. Glaser would be informed of the conversation. No follow up occurred.
- On November 4, 2019, OCR sent Dr. Glaser a Letter of Opportunity to object to OCR’s findings. No response was ever received from Dr. Glaser.
- OCR finally obtained authorization from the Attorney General to issue the Notice of Proposed Determination and impose the civil monetary penalty.
- As noted above, the penalty imposed was $100,000. OCR noted that the amount reflected its discretion to not seek a higher penalty over concern about impacting Dr. Glaser’s ability to continue providing care.
As usual, it is hard to understand OCR’s thought process in setting the settlement amounts. The factual backgrounds provided show a range of misconduct. However, the monetary amount of the settlements is hard to align with some of the factual scenarios. Taking Dr. Glaser as a prime example, it is understandable that OCR does not want to put a practice out of business, but the complete failure to engage in the process would seem to call for a more serious penalty. However, at least it was one of the higher penalties imposed in the most recent batch of actions.
By contrast, the Monte Nido and WHMG settlements just result in some head-scratching. Monte Nido did fail to respond to two different requests for access for about 6 months and that translated to a $160,000 settlement. At least Monte Nido did provide the records though. WHMG, as stated by OCR, still has not produced the requested records, but only had to pay $10,000. The failure to provide the requested records also extended over a much longer period of time. Why? To help the industry understand and possibly encourage more compliance, it would be beneficial for OCR to explain its process for determining the amount of a penalty.
Beyond the ongoing confusion about how to know what non-compliant activity will result in what penalty amount, the settlements show that organizations need to pay better attention to policies and procedures governing the right of access. As should hopefully be relatively known, the Privacy Rule sets out a fairly clear process on how to implement the right of access. OCR has also provided sub-regulatory guidance about how to appropriately implement the right of access requirement. Finally, a new rule is pending to permanently change some aspects of the right of access. All of those circumstances support taking the time to better understand what is needed for compliance aside from the fact that responding to a request from a patient is only good for relations.
A final thought for takeaway is that patient complaints to OCR do not often result in a satisfactory response from the patient’s perspective. In a couple of the settlement descriptions, patients were told that guidance was given to the non-responding entity or that the entity was left to determine by itself whether non-compliance occurred. When a patient has not received requested records and no push is made to get those records, the patient can justifiably feel that no one is there to help. Given that OCR apparently recognized that non-compliance with the right of access remains pretty rampant, stronger support of individual rights would likely be welcome.
Where Are We Going?
While the actions underlying the new settlements are not all new, some of the activity does overlap with the time period of OCR’s right of access enforcement initiative. Given that ongoing concerns around access, a more public push to support individuals in the submission of requests could be helpful. Driving more transparency and shining more light on the issue should happen. Records are still being held up too frequently. If healthcare is trying to drive to collaborative, quality-focused models, success requires collaboration with patients too not just others on the delivery or business side. That starts with being open and respecting rights.
This article was originally published on The Pulse blog and is republished here with permission.