Ignore OCR at Your Own Risk

By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

The Office for Civil Rights announced the latest in its ongoing series of settlements or penalties stemming from individual right of access issues under HIPAA on October 17, 2024, which also happens to be the fiftieth such settlement. While the focus on right of access has been continuous for a number of years now, the opportunity to fully understand what happened before the resulting settlement or penalty is still very infrequent. The current announcement provides an aberration not just from that pattern, but also optimistically the approach of many organizations.

The Quick Summary

Gums Dental Care (GDC) is a dental practice located in Maryland. A parent submitted a request for the records of the parent’s children in both April and June of 2019. The first requested resulted in a complaint to OCR that was resolved with technical guidance. The second request, submitted after the informal resolution, also went unfulfilled and resulted in a second complaint. After a long course of interaction (or lack of interaction) with OCR, the patient finally received the requested records in May 2022. Further, OCR imposed a civil monetary penalty (CMP) of $70,000 for GDC’s failure to provide the requested records.

Now the Detail

The brief summary does not sound all that different from OCR’s standard announcement of an alleged violation. There is a bare minimum of detail and a lot left to speculation.

However, that is where the departure occurs. Since OCR imposed a CMP on GDC, which is not a settlement, there is a Notice of Proposed Determination and a Notice of Final Determination (seemingly not posted online yet) that dives into more detail about the situation. Further, the announcement also revealed that GDC sought review of the Notice of Proposed Determination to an Administrative Law Judge (ALJ) to review OCR’s action. GDC also appealed the ALJ’s decision to the Departmental Appeals Board. All of those actions resulted in a full description of the interactions on the record and summarizing information presented by both OCR and GDC in the filings with the ALJ.

The recitation of the facts provides insight into arguably just how much OCR will do to avoid imposing a penalty or settlement. OCR tries to support an entity in improving its operations to meet compliance obligations under HIPAA, which involves a lot of technical guidance and pointing out of what needs to be done. It all points to OCR being supportive of organizations and working to further understanding of HIPAA.

A Series of Failures

Let’s dive into the facts as laid out in the decision issued by the HHS Departmental Appeals Board. The following facts paint an interesting picture that, as suggested already, shows what happens when OCR is ignored.

GDC’s HIPAA saga commenced on April 5, 2019 when the complainant and affected party (referred to as AP) submitted a request for her children’s records held by GDC. GDC emailed the AP on April, 8, 2019 with the number of times each child visited GDC for services. The AP replied and requested records for specific dates that the children were treated by GDC. On May 1, 2019, the AP sent a complaint to OCR that the requested records had not been provided.

Consistent with the normal course for OCR, technical guidance was provided to GDC about its obligations under the HIPAA Privacy Rule with respect to the right of access. After sending the technical guidance, OCR closed the complaint on May 7, 2019.

After the initial round, the AP sent a second request for access to GDC on June 26, 2019. In the emailed request, the AP included a mailing address where the records could be sent, but also included an email address as an alternative for where the records could be sent. As before, GDC did not provide the requested records. Accordingly, the AP filed a second complaint with OCR on August 2, 2019.

OCR informed GDC on September 5, 2019 that OCR was initiating an investigation. The notification included a data request that should be responded to within 30 days. No response was received. OCR followed up with GDC and was finally able to speak with GDC on October 31, 2019, after leaving a voicemail a few weeks earlier. On the October 31st phone call, GDC informed OCR that GDC did not intend to provide the records to the AP. On November 7, 2019, OCR resent the data request to GDC. Again, no response was received.

There is then a break in the action until October 1, 2020. No reason is given for the break or what happened, but there is one clear event that happened in that intervening period, the onset of the COVID-19 pandemic. Regardless, on October 1, 2020, OCR sent GDC a letter that its investigation was finished and it would determined that GDC violated the Privacy Rule. Along with the letter, OCR included a proposed resolution agreement and corrective action plan.

GDC, unlike its previous approach, responded on October 22, 2020. No mention of the proposed resolution was made. Instead, GDC now said that the AP refused to pay a flat fee of $25 to obtain the records. GDC followed up on November 9, 2020, now claiming that GDC believed the AP only requested the records to enable the AP to commit insurance fraud.

Unmoved by the responses, OCR issued a Letter of Opportunity on December 8, 2020 to GDC that again reiterated OCR’s determination that GDC violated the Privacy Rule. OCR afforded GDC the opportunity to submit written evidence as to why OCR should not impose a CMP or mitigating factors against the amount. GDC acknowledged receipt of the Letter of Opportunity and only reiterated the previous statements about GDC’s belief insurance fraud would be committed and GDC did not agree with OCR that that constituted an impermissible reason for denying the access request. GDC went on to state that it would not provide any information that GDC was allegedly told would be used inappropriately. GDC also seemed to shift the burden onto the AP to arrange a time to get the requested records.

With all of that, OCR sent the Notice of Proposed Determination about the proposed CMP on March 29, 2022. GDC finally provided the AP with the requested records on May 17, 2022, which was a couple of months after learning about the proposed CMP.

Bad Facts Make Bad Outcomes?

What does that recitation of facts show? Arguably, the description of facts shows a deliberate course of action to not meet GDC’s obligations under the HIPAA Privacy Rule to provide individuals access to their records. It is also a bit of an egregious set of facts, though the kernel of allegedly not wanting to enable fraud is not so far-fetched. No one wants to support fraud or enable it to occur.

However, in this instance, the belief, even if accurate, is tangential to the real issue. The right of access portion of the Privacy Rule explains when and how a request for access can be denied. Concern about the records being used for fraud does not fit into any of those reasons. If access will be denied, then an organization should make sure it is familiar with the denial requirements and follow the clear steps laid out in the Privacy Rule.

The other clear issue raised by the case with GDC is OCR will pretty much go out of its way to not impose a penalty or seek a settlement. That should be apparent just from the reality that an extremely small number of complaints or investigations result in a settlement or penalty. The ordinary course of interaction with OCR is to resolve an issue through guidance and support. The guidance and support are achieved by OCR supplying technical guidance. The technical guidance likely means sending over a lot of the guidance that is already available on OCR’s website.

Further, when OCR reaches out to provide the technical guidance, there also probably a chance to talk with OCR and ensure that the organization understands the guidance. There are limitations in OCR can do, namely not give a thumbs up that certain actions will not result in a finding of non-compliance or otherwise provide legal advice, but OCR may be able to give a little bit of insight or provide suggestions about where to find additional helpful information.

The circumstances with GDC are an outlier, but the refusal to engage with OCR has been found in other announced settlements. It is usually a good approach to interact with governmental agencies respectfully and seek to foster a collaborative relationship. Getting combative does not set a good tone and will not easily end well.

Conclusion

Leaving aside the specifics of the penalty imposed on GDC, it is helpful to get fuller detail on all of the steps and actions that resulted in the CMP. OCR’s standard basic announcement just leaves room for endless speculation and theorizing. Seeing the assessment and reasoning from an ALJ is a lot more informative on many fronts. Pursuing that full process takes a lot of commitment or willingness to face potentially harsher consequences by an organization, but it does provide better fodder for those on the outside.

This article was originally published on The Pulse blog and is republished here with permission.