Kendall Warden, Class of 2024, Belmont Law
On September 20, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) sent a public message to dental practices in violation of HIPAA Privacy Rule’s patient right of access provision. The OCR did this by publicizing the result of investigations into three dental practices throughout the United States. These investigations concerning patient right of access violations are part of a collective effort to encourage medical providers to remain compliant with the HIPAA Rules and minimize the need for patients to file complaints with OCR to receive their medical records.
In general, the Privacy Rule’s patient right of access provision requires covered entities in possession of protected health information (PHI) to provide individuals access to their PHI upon request. While there is no private right of action for individuals affected by HIPAA Privacy Rule violations, filing a complaint with the OCR gives patients an alternative means of resolving disputes when covered entities fail to timely or adequately provide access to PHI.
The first of the three cases involved Family Dental Care, P.C., located in Chicago, Illinois. A patient of the dental practice requested her full medical record in May 2020, but she received only bits and pieces of her records. After realizing large portions of her records were missing, the patient filed a complaint with OCR on August 8, 2020. During OCR’s investigation, the dental practice provided the patient with the remainder of her medical records. The patient did not receive her full medical records until a complaint had been filed and more than five months had gone by since the initial request. OCR determined that Family Dental Care did not timely provide patient access to the request medical records, and therefore, potentially violated HIPAA Privacy Rule’s patient right of access provision. Family Dental Care ended up paying a $30,000 fine and agreeing to implement a corrective action plan.
The second investigation involved a dental and orthodontics provider located in Georgia, Great Expressions Dental Center of Georgia, P.C. In November 2019, a patient requested her medical records from the dental practice. The practice refused to provide the medical records unless the patient paid $170 copying fee, so the patient filed a complaint with OCR in November 2020. Over a year later, in February 2021, the practice finally provided the patient with her medical records. Through its investigation, OCR determined Great Expressions Dental Center of Georgia failed to provide timely access to the patient’s requested medical records, and its copying fees are unreasonable and not cost-based. Both determinations are potential HIPAA violations. The Georgia practice paid an $80,000 fine and also agreed to implement a corrective action plan.
The third case concerns Paradise Family Dental, a dental practice located in Las Vegas, Nevada. On behalf of her minor child, a mother requested the child’s PHI from Paradise Family Dental several times between April 11, 2020, and December 4, 2020, but she did not receive any portion of her child’s records. On October 26, 2020, the mother filed a complaint with OCR, in response to Paradise Family Dental’s inaction, detailing the practice’s failure to provide access to the child’s PHI. More than eight months after the initial request, the mother finally received the child’s records on December 31, 2020. OCR determined that the practice failed to timely and adequately provide the mother access to her child’s medical records amounting to a potential HIPAA violation. The practice paid a $25,000 fine and also agreed to implement a corrective action plan.
The trend among these investigations seems to be that once a complaint is filed, providers turn over the requested records. Granted, they will be forced to pay a large fine for the delay. However, OCR seems to be determined to increase compliance with the patient right of access provision and minimize the need for patients to file a complaint with OCR in order to receive their medical records. Hopefully, these investigations got OCR’s message of compliance across, and providers will be more willing to provide patients with timely access to their own information (and to avoid large fines).