By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The Office for Civil Rights announced yet another settlement action involving the HIPAA Right of Access on March 29, 2024. It is a reminder that right of access remains a focal point for OCR even though cyberattacks formed the basis for settlements announced earlier in 2024. The most recent announcement comes with a bit of a twist though because the party contested the enforcement action.
The Case Details
The right of access settlement involves Phoenix Healthcare LLC d/b/a Green County Care Center (GCCC). OCR started its investigation because it received a complaint in April 2019 that the right of access was not being honored. With a bare minimum of details, a daughter sought her mother’s records. The daughter served as the personal representative of the mother. The records were not provided and OCR stepped in to provide technical assistance on what to do. OCR also stated that it attempted to get the records. Reading between the lines, all of those efforts did not produce immediate results. Instead, OCR called out specifically that it took GCCC 323 days to provide the records after the request was submitted. That delay meant the records were finally sent on January 30, 2020.
Over a year later, OCR notified GCCC that a civil monetary penalty (CMP) in the amount of $250,000 was being imposed. Where did that number come from? As usual, that is anyone’s guess. Arguably, the amount could represent the implication that OCR tried to get GCCC to do the right thing, but the attempts at help received less receptivity than should have occurred.
The attempted imposition of the CMP did not end the story though. Instead of just taking the CMP, GCCC requested a hearing before an Administrative Law Judge to contest the proposed CMP. That request occurred on June 25, 2021. Over a year and a half late, the ALJ upheld the HIPAA violations found by OCR, but significantly reduced the CMP to $75,000.
The ALJ’s Decision
The ALJ’s decision helps to fill in the details a little bit. The decision notes that the daughter initially requested access to the records on March 13, 2019. GCCC responded through its legal counsel that access would be provided, but a fee would need to be paid first. In the words of the decision, the fee was not reasonable and cost-based (remember, OCR guidance offered clarity on what fees can be imposed). The daughter (understandably) refused to pay the fee and GCCC did not provide the records. At least, the records were not provided until after OCR stepped in. The decision also notes that even though the law firm served as GCCC’s business associate and had done so for over 20 years, a business associate agreement was not executed until September 20, 2019, which would be after OCR became involved in the access issue.
Again, getting a bit deeper, the daughter requested the records after her mother was brought to the emergency department. She went to GCCC and completed an access request. The ALJ’s decision stated that the form did not include any information about the format of the requested copy of the fee structure. After the request was submitted, the law firm responded on GCCC’s behalf noting that the law firm handled all records requests because it had hard copies of the records. The law firm stated it would charge a fee of $0.50 per page because that was allegedly the statutory rate set by Oklahoma statute. The law firm asserted that the mother’s record consisted of 935 pages, which meant it would charge a fee of $467.50 for the records. No offer was made to provide an electronic copy. After receiving the letter, the daughter complained to OCR.
Upon receipt of the complaint letter, OCR reached out to GCCC’s Privacy Officer. The communication included an explanation of what a reasonable and cost-based fee looked like and what factors could be used in determining that fee. OCR concluded with a statement that any subsequent complaint of noncompliance could result in a formal investigation.
The letter did not spur positive action. Instead, the daughter filed a second complaint with OCR on May 24, 2019 because the law firm continued to insist that the initially stated fee had to be paid. The daughter also noted she was not offered a digital copy and questioned why the medical records would be with the law firm. After interviewing the daughter, OCR opened a formal investigation in late June 2019 and sent a data request to GCCC. That request spurred a letter from the law firm to the daughter offering an electronic copy of the records for a fee of $200.
The law firm also responded to OCR’s request by letter dated July 12, 2019. The letter reportedly ignored OCR’s position and just cited the allegedly relevant Oklahoma law. The initial letter did not provide any of the requested documents. A partial production occurred with a letter dated July 18, 2019. The response refused to provide some of the information and arguably antagonized the matter by complaining about the cost and time spent in responding to OCR just because the daughter didn’t want to pay for the records.
After additional correspondence that included finding that GCCC and the law firm only executed a business associate agreement in the middle of the discussions, OCR notified GCCC and the law firm that its investigation found violations of HIPAA requirements. As a result, OCR presented a resolution agreement and corrective action plan to GCCC on January 16, 2020. Two weeks later on January 30, 2020, GCCC and the law firm finally provided an electronic copy of the mother’s medical records to the daughter.
The dispute then turned to the amount of a proposed penalty and disagreements over mitigating factors. The dispute as presented to the ALJ focused on the amount of the penalty. The decision also specifically called out an “acrimonious” discovery phase. The decision does not pull any punches in criticizing GCCC and its legal representation for failing to provide information and being unnecessarily difficult.
The decision then went into a detailed discussion about the willful nature of the violation, but also OCR’s methodology for calculating the proposed CMP. The ALJ could see the relevance of the factors cited by OCR, but also noted that the whole dispute really came down to a long stalemate over one instance of noncompliance and the lack of a business associate agreement. After considering additional factors that the ALJ felt were omitted by OCR, the ALJ held that an appropriate CMP would be $75,000.
After all of that, OCR and GCCC now entered into a settlement agreement to agree on a penalty of $35,000 and GCCC foregoing an appeal of the ALJ’s decision to a federal court.
Finally, More Details
The unique course followed by this dispute offers a much more detailed peek behind the curtain than usually occurs in a settlement announced by OCR. First, the ongoing obstinance of GCCC and the law firm that it utilized underscore the importance of engaging knowledgeable counsel and also playing reasonable ball with OCR. The dispute could have been resolved a lot more quickly and with a lot less acrimony if heels had not been dug in and someone with apparently a deeper understanding of HIPAA was involved.
The second benefit is the extended discussion in the ALJ’s decision about OCR’s approach to calculating the CMP. While the ALJ found OCR considered a number of relevant factors, it also determined that OCR did not include other factors and was very aggressive in setting a high dollar figure. Arguably, the contentious nature of the situation informed the proposed CMP, but it would also be a reasonable expectation that personal feelings of that nature should not influence the determination of a CMP.
Since the ALJ was a little bit more removed and less directly involved, the ALJ pointed additional factors should have been considered along with the actual extent of the noncompliance that occurred. Importantly, the ALJ determined that the missing factors weighed in GCCC’s favor. Not including the factors for consideration created a much stronger negative implication that was appropriate. Further, the ALJ also level set that the problem was really just one instance of not providing access to records, even though the lack of access continued for much longer than was reasonable.
The ALJ’s decision referenced the MD Anderson case, another loss for OCR upon challenge. When taken in combination, the GCCC and MD Anderson cases support an inference that OCR is too aggressive in setting its penalties and challenging could be productive. However, while that may be appealing, challenging is also an intensive process in terms of both time and resources. How many organizations will want to go through all of that and see that it offers a better result than just settling? That is a good question and could be a point that OCR rests on.
Conclusion
Ultimately, the GCCC settlement offered more information on the HIPAA penalty process than usually occurs. The ALJ’s decision helps explain how the amount was calculated and provided much more of the factual background. All of the additional detail could support an implication that OCR only gives a very brief skim of the facts because offering any more would raise questions about its decisions. While it is unlikely OCR will change its approach, it is an interesting outcome that might begin to influence behavior when negotiating with OCR for a settlement.
This article was originally published on The Pulse blog and is republished here with permission.