Report on Patient Privacy 22, no. 10 (October, 2022)
How about free?
Patients daily face the machinations of getting records from their providers, and health care practices, hospitals and even dentists struggle with confusing fee schedules, murky payment limits, and what is really meant by the “reasonable cost-based fee” they’re allowed to charge.
And they’ve also got to be quick about it, so they don’t blow the timeframes for access, thus giving patients another reason beyond fees to complain to the HHS Office for Civil Rights (OCR).
The danger that providers will get it wrong and face enforcement action by OCR is real. Last month OCR announced three new settlement agreements against providers—all dentists—who were either late, charged too much or didn’t provide full records. They bring to 41 the number of covered entities (CEs) that paid fines and, generally agreed to corrective action plans (CAPs) that are themselves costly to implement.
Among the new cases is Great Expressions Dental Center of Georgia, which paid $80,000 and agreed to a two-year CAP. OCR accused the practice of being both tardy and charging an excessive fee. In response—or what Great Expressions’ general counsel called evidence of a “silver lining”—the chain of 300 independently owned practices with 500 dentists among them did away with all records fees previously charged to patients, RPP has learned.
New OCR Director Melanie Fontes Rainer announced the trio of settlements on Sept. 20, just a week after she was sworn into the position permanently; she was named acting director in July (see story, p. 1).
Then-OCR Director Roger Severino began the Right of Access initiative in 2019. OCR’s volume of access cases increased from just two that year but remained fairly constant. In 2020 it had 11 such cases and 12 last year. So far this year, however, it has issued 16 such enforcement actions, including the three recent cases.
The 41 cases have collectively brought OCR approximately $2.83 million in fines and penalties. On occasion, fines have appeared higher than others when OCR has received more than one complaint about the same CE, but that was not the case with any of the three new settlements.
The initiative has touched nearly every size of practice and specialty, from hospitals and nursing homes to solo practitioners, and has included podiatrists, plastic surgeons, dermatologists, retina specialists, spine surgeons, cardiologists, primary care physicians and federally qualified health organizations.
Penalties against CEs sanctioned for access violations have ranged from $3,500, which came from a psychiatrist in Virginia who had two complaints against her, to $240,000 paid by Memorial Herman Health System. In that case, a patient made five requests and received her records 564 days late, OCR said.
In her new announcement, Fontes Rainer took specific aim at dentists, warning that the “actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law.”
She called requesting patient records “a fundamental right under HIPAA,” which should be fulfilled “in most cases, within 30 days.” Fontes Rainer added that she hoped “these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”
But that might be what happened in the case of a Great Expressions patient who was seen by a dental practice in Georgia; no city or other information is included in OCR’s statements.
According to OCR’s announcement, the agency received a complaint in November 2020 that a Great Expressions patient had not received copies of her medical records “because she would not pay [the practice’s] $170 copying fee.”
OCR explained that she initially requested her records “in November 2019, but did not receive them until February 2021, over a year later.”
It is not clear from OCR’s news release or settlement agreement posted online whether OCR’s involvement led the practice to provide the records or if it did so voluntarily—ofttimes in such settlements, OCR will say that it was only after hearing from the agency that a practice complied with a request. This settlement also gave no indication when OCR itself contacted the practice.
‘New and Better Training’ Implemented
The agency said its investigation found the dental practice had potentially violated HIPAA through its “failure to provide timely access to the requested medical records” and its “practice of assessing copying fees that were not reasonable and cost-based.” As has been its habit of late, OCR did not say how it arrived at the $80,000 penalty.
RPP contacted Michael DeMinico, general counsel of Great Expressions Dental Centers, about the settlement. While he provided some information about actions taken following the complaint, DeMinico did not respond to follow-up questions to offer more details, such as how training had been revised.
“While the underlying incident took place more than 4 years ago (the request was made in 2018), Great Expressions regrets whenever it falls short in its commitment to its patients,” he told RPP. “However, every cloud has a silver lining, and this one is no different.”
Great Expressions has made many changes, DeMinico said.
“We have made it easier for our patients to receive their dental records by eliminating any reasonable cost-based fees associated with their copying and provision,” he said. “Now all patients will receive their records without charge when requested.”
He added that the chain has “streamlined our records request process by centralizing fulfillment in a specialized team of patient services representatives.”
Finally, he said Great Expressions has “instituted newer and better HIPAA training, ensuring that each of our team members is fully aware of their responsibilities to our patients.”
Six-Month Wait Costs Dentist $30,000
The other dental practices that recently reached settlement agreements with OCR are in the Chicago area and Las Vegas.
In contrast to the complaint against Great Expressions, the one that led to Family Dental Care’s settlement with OCR is relatively simple—and the practice is subject to a one-year, not two, CAP. According to its website, Family Dental has seven offices, including Chicago, Calumet City and Evergreen Park, Illinois, and in Munster, Indiana.
OCR alleged in the settlement agreement that a patient waited for a copy of her designated medical records set from May 8, 2020, until Oct. 12, 2020. The practice’s sole failure was in not providing timely access, OCR said. The agency did not indicate whether OCR had any involvement in facilitating the records release but said it received the complaint on Aug. 8, 2020.
Officials from Family Dental Care did not respond to RPP’s request for comment on the settlement.
CAP requirements for both Great Expressions and Family Dental include revising policies and procedures to address the definition of a designated records set.
Great Expressions also must develop access policies that clarify “the form and format of the PHI [protected health information] requested” as well as “for charging cost based and reasonable fees for providing access to protected health information in response to access requests.” But, as DeMinico explained to RPP, Great Expressions practices no longer charge for medical records.
Family Dental must review and update its release of information form “to ensure patients have the option to request their entire designated record set.” Another requirement is for the practice to designate “one or more individuals who are responsible for ensuring that [the practice’s] business associate agreement with any business associates involved in [the practice’s] access responsibilities under the Privacy Rule are properly executed.”
Dentist Imposed Numerous Requirements
The third settlement involves a somewhat protracted process that began when a mother emailed Paradise Family Dental in North Las Vegas, operated by dentist Steven Hardy. The practice may then have had issues authenticating who she was; this also occurred in the early days of the pandemic.
Hardy agreed to pay $25,000 and, like Family Dental, implement a two-year CAP for failing to provide timely access.
According to OCR, the mother first emailed Paradise Dental a “request for access to copies of her and her minor child’s” PHI on April 11, 2020. Three days later, the practice wrote back, “explaining that the office was closed and offered to email the requested PHI to her if [she] confirmed the email address to which it should send the PHI.”
The mother apparently did that on May 4, 2020, and then “made several subsequent requests” but was ultimately told to “submit a written request with her handwritten signature.” Apparently, she complied on Dec. 4, 2020, and the practice sent the PHI on Dec. 31, 2020.
Hardy’s CAP is more extensive than the other two. He is required to develop right-of-access policies and procedures and submit them to OCR for approval. The practice’s notice of privacy practices also must be revised to reflect current access policies. Hardy also must “develop, review, and update as necessary the Practice’s policy regarding individuals’ right of access to PHI to ensure timely and comprehensive response to requests for copies of records, including individuals’ requests for access directing the Practice to transmit copies directly to a designated third party, and a denial process consistent with the Privacy Rule.”
Another task is to develop “protocols for training all of the Practice’s workforce members that are involved in receiving or fulfilling access requests” and “appropriate sanctions against the Practice’s workforce members who fail to comply with the policy and procedures.”
All three CAPs require the practices to obtain from workers, “at the time of distribution of such policies and procedures, a signed written or electronic compliance certification or similar documentation from all members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures.”
Other common features in the CAPs are submission of an implementation report within 120 days of the settlement agreements’ effective date—and annually—and reporting of possible noncompliance among workforce members and actions taken.
1 U.S. Department of Health & Human Services, “OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA,” news release, September 20, 2022, https://bit.ly/3RrEeCQ.
2 Theresa Defino, “Acting OCR Director Named to the Post Permanently, Has Many Tasks to Accomplish,” Report on Patient Privacy 22, no. 10 (October 2022).
3 Jane Anderson, “OCR Adds Eight Access Settlements; Enforcement Actions Now Total 38,” Report on Patient Privacy 22, no. 8 (August 2022), https://bit.ly/3E8DrUy.
4 U.S. Department of Health & Human Services, “Family Dental Care, P.C. Resolution Agreement and Corrective Action Plan,” August 1, 2022, content last reviewed September 20, 2022, https://bit.ly/3Rsjpax.
5 U.S. Department of Health & Human Services, “Great Expressions Dental Center of Georgia, P.C. Resolution Agreement and Corrective Action Plan,” September 1, 2022, content last reviewed September 20, 2022, https://bit.ly/3frlvdo.
6 U.S. Department of Health & Human Services, “B. Steven L. Hardy, D.D.S., LTD (`Paradise’) Resolution Agreement and Corrective Action Plan,” August 9, 2022, content last reviewed September 20, 2022, https://bit.ly/3CC8mYp.