Phoenix Healthcare, LLC d/b/a Green Country Care Center, DAB CR6232 (2023)

DECISION

Respondent is Phoenix Healthcare, LLC d/b/a Green Country Care Center.  Phoenix Healthcare, LLC operates Green Country Care Center (also referred to as “GCCC” or “the facility”), a skilled nursing facility in Tulsa, Oklahoma.  The complainant, who is the daughter of a former resident who is the affected party (AP), requested a copy of the AP’s medical records on March 13, 2019.  Respondent, through its business associate and counsel, Secrest, Hill, Butler & Secrest (“the Secrest firm”), premised access to a copy of the AP’s medical records on its receipt of a fee that was not “reasonable and cost-based.”  The complainant did not pay the requested fee, and Respondent did not provide the requested records until January 30, 2020.  Respondent and the Secrest firm also did not enter into a written business associate agreement until September 20, 2019, even though the Secrest firm had been engaged as Respondent’s business associate for nearly 20 years. 

The Director of the Office for Civil Rights (OCR) initiated an investigation that determined that Respondent, as a covered entity pursuant to 45 C.F.R. § 160.103,¹ violated the Privacy Rule under the Health Insurance Portability and Accountability Act

Page 2

of 1996 as follows:  1.) It did not provide timely access to the designated record set,² at the penalty tier of willful neglect, beginning on May 30, 2019, and continuing through January 29, 2020; 2.) It erroneously relied on state law and charged a fee that was in contravention of 45 C.F.R. § 164.524, at the penalty tier of willful neglect, for a single day on July 1, 2019; and 3.) It did not enter into a written business associate agreement with the Secrest firm until September 20, 2019, in contravention of 45 C.F.R. § 164.502(e), at the reasonable cause penalty tier, from March 30, 2015, through September 19, 2019.  OCR determined that the total civil monetary penalty (CMP) for which Respondent was liable was $4,071,131, but proposed a CMP of $250,000 based on its evaluation of the factors listed in 45 C.F.R. § 160.408, specifically, sections 160.408(d) and (e). 

I uphold OCR’s determination that Respondent committed the aforementioned violations of the Privacy Rule, along with OCR’s determinations regarding Respondent’s level of culpability for each violation and the duration of each violation.  However, based on an evaluation of the factors listed at 45 C.F.R. § 160.408, a CMP of $75,000 is justified. 

I.     Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996), was enacted on August 21, 1996.³  Pursuant to its provisions, the Secretary of Health and Human Services implemented a “Privacy Rule” addressing protected health information (PHI).  See 45 C.F.R. parts 160 and 164. 

Section 261 of HIPAA, which is the Administrative Simplification subtitle, stated that its purpose was “to improve the Medicare program . . . , the [M]edicaid program . . . , and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”  HIPAA, Pub. L. No. 104-191, § 261, 110 Stat. 1936, 2021 (1996); see 42 U.S.C. § 1320d note (Purpose).  Section 262 of HIPAA addressed the standards for information transactions

Page 3

and data elements, and it directed the Secretary of Health and Human Services to “adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically,” with goals of “improving the operation of the health care system and reducing administrative costs.”  § 262.  Section 264, addressing “Recommendations with Respect to Privacy of Certain Health Information,” stated the following: 

Not later than the date that is 12 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall submit . . . detailed recommendations on standards with respect to the privacy of individually identifiable health information.

§ 264(a).  These recommendations were required to address “[t]he rights that an individual who is a subject of individually identifiable health information should have,” “[t]he procedures that should be established for the exercise of such rights,” and “[t]he uses and disclosures of such information that should be authorized or required.”  § 264(b).  Further, section 264(c) of HIPAA directed the following:

If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act.

§ 264(c).  Section 264 also directed that any regulation promulgated pursuant to the aforementioned authority “shall not supersede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.”  § 264(c).

In a final rule published on December 28, 2000, the Secretary explained that the rulemaking was the “second final regulation to be issued in the package of rules mandated under title II subtitle F section 261-264 of [HIPAA] . . . titled ‘Administrative Simplification.’”  65 Fed. Reg. 82,462, 82,463 (Dec. 28, 2000).  The Secretary explained that, with respect to section 264, “[a]s the Congress did not enact legislation regarding the privacy of individually identifiable health information prior to August 21, 1999, HHS published proposed rules setting forth such standards . . . and is now publishing the mandated final regulation.”  Id. at 82,470.

Page 4

As relevant here, the rulemaking promulgated 45 C.F.R. § 164.524(a) (Access of Individuals to Protected Health Information) that provided that “individuals have a right of access to protected health information that is maintained in a designated record set.”  Id. at 82,554.  Further, in promulgating 45 C.F.R. § 164.524(b), the rulemaking “require[d] covered entities to permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set.”  Id. at 82,556.  The rulemaking also required covered entities to “act on a request for access within 30 days of receiving the request,” with up to 90 days allowed to act on a request to information that is maintained off-site.  Id.  Finally, the rulemaking also provided that a covered entity may “charge a reasonable, cost-based fee for copying the information.”  Id. at 82,557; see 45 C.F.R. § 164.524(c)(4) (current version of regulation).  Although the Secretary declined to specify a “set fee” because “copying costs could vary significantly depending on the size of the covered entity and the form of [the] copy,” the Secretary emphasized that a reasonable, cost-based fee includes the costs of copying, to include supplies and labor, and postage, and that the rule “limits the types of costs that may be imposed for providing access to [PHI].”  65 Fed. Reg.at 82,735. 

With respect to business associates, the rulemaking included 45 C.F.R. § 164.504(e), which requires “a contract between a covered entity and a business associate.”  Id. at 82,503.  Further addressing the new provision, the final rule explained: 

In the final rule we retain the overall approach proposed:  covered entities may disclose protected health information to persons that meet the rule’s definition of business associate, or hire such persons to obtain or create protected health information for them, only if covered entities obtain specified satisfactory assurances from the business associate that it will appropriately handle the information; the regulation specifies the elements of such satisfactory assurances; covered entities have responsibilities when such specified satisfactory assurances are violated by the business associate. 

Id. at 82,504.  Explaining, at length, that a “business associate contract” memorializes the “satisfactory assurances” that a business associate will appropriately handle information on behalf of a covered entity (Id. at 82,503-07), the rulemaking summarized that “[a] business associate contract basically requires the business associate to maintain the confidentiality of the [PHI] that it receives and generally to use and disclose such information for the purposes for which it was provided.”  Id. at 82,507. 

The AP was a resident of the facility from February 2018 through March 2019.  OCR Ex. 4 at 1.  The complainant held power of attorney for the AP.  OCR Ex. 4 at 1.  On March

Page 5

12, 2019, the complainant signed the AP out of the facility and brought her to the emergency department of an acute care hospital.  R. Ex. 1 at 37, 39.⁴ 

The following day, on March 13, 2019, the complainant visited the facility and requested a copy of the AP’s records.  OCR Ex. 4 at 2.  At that time, the complainant completed a form entitled, “AUTHORIZATION TO USE OR DISCLOSE HEALTH INFORMATION.”  OCR Ex. 7 at 1-2.  In addition to lacking the pre-printed name of the facility, the form did not include any pre-printed information regarding the format of the requested copy (e.g., paper or electronic) or the fee structure employed by Respondent for providing records access.  OCR Ex. 7 at 1-2. 

In a letter dated April 1, 2019, W. Michael Hill, on behalf of the Secrest firm, a law firm, informed the complainant that the Secrest firm “handles all records requests for” the facility.⁵  OCR Ex. 9 at 1.  Mr. Hill reported that the Secrest firm “[had] hard copies of these records” and advised that “the total page count for the requested medical records is 935 pages.”  OCR Ex. 9 at 1.  Mr. Hill explained that based on the Oklahoma “statutory rate” of 50 cents per page, the Secrest firm “will start the copying process and forward a hard copy of the requested records” upon receipt of a check for $467.50.  OCR Ex. 9 at 1.  

On April 16, 2019, the complainant submitted a “Health Information Privacy Complaint,” Form HHS-700, alleging that the Secrest firm violated the Privacy Rule.  OCR Ex. 3 at 1.  The complainant reported that she had received the Secrest firm’s April 1, 2019 letter informing her that payment of $467.50 would be required for a copy of the medical records, and she explained that she “was not offered an electronic copy which is available and would be a lesser expense as well.”  OCR Ex. 3 at 1.

Page 6

On April 30, 2019, OCR sent a letter to Respondent’s “Privacy Officer” in which it reported that it had received a complaint alleging that Respondent had “charged her an amount other than a reasonable, cost-based fee in response for access to an electronic copy of her medical records.”⁶  OCR Ex. 10 at 1.  Citing 45 C.F.R. § 164.524(c)(4), the letter explained, in pertinent part, that a “reasonable, cost-based fee” may only include the actual cost of labor, supplies, and postage, even if additional costs are allowable under state law.  OCR Ex. 10 at 3.  OCR encouraged the privacy officer to “assess and determine whether there may have been any noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future.”  OCR Ex. 10 at 3.  OCR cautioned that if it were to “receive a similar allegation of noncompliance . . . in the future, [it] may initiate a formal investigation of that matter.”  OCR Ex. 10 at 3. 

Several weeks later, on May 24, 2019, the complainant filed a second complaint against the Secrest firm with OCR, at which time she again reported that the Secrest firm would not release the AP’s records until she paid the requested fee for the records.⁷  OCR Ex. 5 at 1.  The complainant explained that she was not offered a digital copy of the records.  OCR Ex. 5 at 1.  The complainant also questioned how Respondent “had permission to share and or send [the AP’s] medical records to an attorney[’]s office.”  OCR Ex. 5 at 1. 

On June 20, 2019, OCR interviewed the complainant to investigate her allegation that she had not been provided copies of the records requested in March 2019, at which time it documented the complainant’s statement that she had requested the records “so her mother can receive appropriate care.”  OCR Ex. 6 at 3.  Shortly thereafter, on June 25, 2019, OCR provided notice that it had opened an investigation.  OCR Ex. 12 at 1-2.  OCR appended a “Data Request” directing Respondent to submit specific information and documents by a prescribed deadline.  OCR Ex. 12 at 2, 5-12. 

On July 1, 2019, the Secrest firm sent a letter to the complainant stating the following, in pertinent part:  “Regarding your request for an electronic copy of the medical records of

Page 7

[the AP] from [GCCC], please be advised that the cost for a copy of the records in electronic form is $200.00.”  OCR Ex. 13 at 1.  The author of the letter, Mr. Hill, informed the complainant that the Secrest firm “will start the copying process” upon receipt of a check in the amount for $200.  OCR Ex. 13 at 1.  Mr. Hill included a copy of the Oklahoma code section entitled, “Access to Medical Records – Copies – Waiver of Privilege.”  OCR Ex. 13 at 2-3. 

In a letter dated July 12, 2019, the Secrest firm, via Mr. Hill, replied to OCR’s June 25, 2019 correspondence.  OCR Ex. 11.  Undeterred by OCR’s previous notice that Respondent must comply with the Privacy Rule, even when state law authorizes fees not allowable pursuant to the Privacy Rule, Mr. Hill cited a copy of the Oklahoma code and reported that the complainant had agreed to pay for records at a rate of 50 cents per page.  OCR Ex. 11 at 2; see OCR Ex. 7 (authorization form with undated handwritten notation regarding rate of 50 cents per page); Okla. Stat. tit. 76, § 76-19.  Mr. Hill further explained that he had offered the complainant the opportunity to obtain an electronic copy of the records.  OCR Ex. 11 at 2; see OCR Ex. 13 at 1 (letter informing the complainant that the Secrest firm would disclose the records upon receipt of $200). 

On July 18, 2019, the Secrest firm sent another letter to OCR in which it provided partial responses to OCR’s June 25, 2019 data request.  OCR Ex. 22; see OCR Ex. 12.  For example, the Secrest firm, on behalf of Respondent, refused to indicate when Respondent had engaged it, and also refused to report the scope of its services and provide a copy of a business associate agreement.  Compare OCR Ex. 12 at 9 with OCR Ex. 22 at 2.  Likewise, the Secrest firm refused to provide a copy of Respondent’s most recent quarterly balance sheet, income statement, statement of cash flows, audited financial statements, or most recent federal tax return.  Compare OCR Ex. 12 at 10 with OCR Ex. 22 at 2.  The Secrest firm complained it was “disappointed and frustrated with the expense, time and resources that have been expended in this matter, and which we believe is the result of [the complainant’s] intent not to pay for the AP’s records.”  OCR Ex. 22 at 3.  

In follow-up correspondence sent via email on July 26, 2019, OCR inquired whether GCCC and Phoenix Healthcare, LLC are “two separate legal entities or does Phoenix Healthcare LLC ‘do business as’ Green Country Care Center?”  OCR Ex. 23 at 3.  OCR requested a supporting explanation.  OCR Ex. 23 at 3.  In response, the Secrest firm stated, “Phoenix Healthcare, LLC, is the Court Appointed Receiver for Green Country Care Center.”  OCR Ex. 23 at 2. 

On September 20, 2019, in response to September 18, 2019 correspondence from OCR,  the Secrest firm provided a “July 2019 Income Statement” for GCCC and maintained its “objection to providing the Federal Tax Return for [GCCC].”  OCR Ex. 24 at 1, 9-10.  The Secrest firm also provided a copy of a written business associate agreement between

Page 8

Respondent and the Secrest firm that had been executed that same day.  OCR Ex. 24 at 1, 3-8. 

In a memorandum to file dated January 7, 2020, OCR reported that the complainant continued to want a copy of the AP’s medical records because “she wants to take action against the doctor who discontinued her mother’s diabetes shots.”⁸  OCR Ex. 16.  On January 16, 2020, OCR sent a resolution agreement and corrective action plan to GCCC, via the Secrest firm.  OCR Ex. 14.  OCR explained that it had completed its investigation and determined that GCCC had “violated several provisions of the Privacy Rule,” to include denying timely access to a designated record set, requesting a fee that is not reasonable or cost-based, and failing to have a written business associate agreement with the Secrest firm.  OCR Ex. 14 at 1-2. 

On January 30, 2020, the Secrest firm sent an electronic copy of the AP’s records to the complainant.  OCR Ex. 15 at 1. 

In a letter of opportunity dated March 5, 2020, OCR asked GCCC to provide evidence of mitigating factors, affirmative defenses, and other information for its CMP determination.  OCR Ex. 17.  The Secrest firm provided a response on May 5, 2020, that included affidavits dated April 30, 2020, from a paralegal (Ms. Kennemer) and the facility’s administrator (Ms. Justice).⁹  OCR Ex. 18 at 5.  The Secrest firm claimed that “[t]he proposed penalty of OCR would drive our client out of business and displace numerous elderly residents.”  OCR Ex. 18 at 2.  The Secrest firm criticized OCR’s offer of settlement with a “$330,000.00 penalty,” comparing its violations involving “a single medical records request” to the $660,000 CMP imposed by the Centers for Medicare & Medicaid Services on “[a] nursing home in Washington State [that was] found to have caused the death of forty (40) residents by failing to comply with COVID-19 precautions.”  OCR Ex. 18 at 5. 

In correspondence dated September 16, 2020, OCR stated the following: 

Despite repeated requests for financial information to support GCCC’s position of financial hardship, GCCC has only produced a single income statement from July 2019.

Page 9

This letter is to provide GCCC with a final opportunity to provide sufficient financial documentation and materials regarding its financial condition.  GCCC has 14 calendar days to submit a response to this letter with financial documentation regarding the factors enumerated in 45 C.F.R. § 160.408(d), which may include GCCC’s past three years of federal tax returns, quarterly balance sheets, income statements, statements of cash flows, and full year audited financial statements (including notes) prepared, reviewed, or audited by an independent accounting firm.  

OCR Ex. 19 at 2-3 (italics and bold in original).  Respondent replied to OCR on September 30, 2020, but did not provide the requested information.  R. Ex. 6.  

On March 30, 2021, OCR issued the notice of proposed determination in which it proposed to impose a CMP of $250,000 against Respondent.  OCR Ex. 21.  OCR identified the covered entity, pursuant to 45 C.F.R. § 160.103, as “Phoenix Healthcare LLC d/b/a Green Country Care Center.”  OCR Ex. 21 at 2-3.  OCR determined that Respondent was subject to a CMP based on the following three violations: 

• It did not provide the complainant with the AP’s medical records in a timely manner, in violation of 45 C.F.R. § 164.524(b)(2), and that the violation was at the willful neglect level for 245 days from May 30, 2019, through January 29, 2020. 
• It erroneously relied on Oklahoma law, which OCR determined was in contravention of the fee structure outlined in 45 C.F.R. § 164.524(c)(4) at the willful neglect level for a single day on July 1, 2019. 
• Respondent and the Secrest firm did not enter into a written business associate agreement, as required by 45 C.F.R. § 164.502(e), until September 20, 2019, and that the earliest date of liability for this violation was March 30, 2015 (six years prior to March 30, 2021). 

OCR Ex. 21 at 7.  OCR determined that Respondent was liable for the following CMPs: 

1. Timely Action by Covered Entity – 45 C.F.R. § 164.524(b)(2):  The CMP is $3,511,789 . . . based on 45 C.F.R. § 160.404(b)(2)(iv) [Willful Neglect not corrected in 30 days]. 
2. Provision of Access, Fees – 45 C.F.R. § 164.524(c)(4):  The CMP is $59,522 . . . based on 45 C.F.R. § 160.404(b)(2)(iv) [Willful Neglect not corrected in 30 days].

Page 10

3. Business Associate Agreement –– 45 C.F.R. § 164.502(e):  The CMP is $500,000 . . . based on 45 C.F.R. § 160.404(b)(2)(ii) [Reasonable Cause]. 

OCR Ex. 21 at 9.  OCR explained that “[t]he total CMP for which OCR finds GCCC liable, with regard to the violations described, is $4,071,131 . . . . However, based on OCR’s evaluation of the factors listed in 45 [C.F.R. §] 160.408, OCR has determined that a CMP of $250,000 is warranted in this matter.”  OCR Ex. 21 at 9-10.  Regarding the factors at 45 C.F.R. § 160.408, the sole factors OCR addressed in favor of Respondent were based on sections (d) and (e) of that regulation, pertaining to financial condition and “[s]uch other matters as justice may require.”  See OCR Ex. 21 at 9 (“While GCCC did not provide audited financial statements in response to OCR’s Letter of Opportunity, GCCC has claimed financial hardship.  Given that claim and the impact of the COVID-19 public health emergency on nursing homes generally, OCR is using the discretion contemplated by [section 160.408(d) and (e)] to impose a reduced CMP of $250,000.”). 

“GCCC” filed a request for an administrative law judge (ALJ) hearing that was received by the Civil Remedies Division on July 2, 2021.  DAB E-File docket entry Doc. No. 1 (hereinafter “Request for Hearing”).  Notably, the request for hearing claimed that OCR had incorrectly identified the covered entity, arguing that “GCCC and Phoenix Healthcare, LLC . . . are distinct entities, separately registered with the Oklahoma Secretary of State.”  Request for Hearing at 2.  The request for hearing also did not concede that Phoenix Healthcare, LLC was a covered entity.  Request for Hearing at 2-3.  Addressing the cited violations, the request for hearing claimed that GCCC did not refuse to disclose the designated record set and correctly followed Oklahoma law when it sought $467.50 for hard copy records and $200 for electronic records.  Request for Hearing at 4-5, 8-9.  The request for hearing also stated that GCCC and the Secrest firm had an oral business associate agreement dating back to “on or about the year 2000.”  Request for Hearing at 3-4; see also Request for Hearing at 12 (“The written Business Associate Agreement was explicitly declared retroactive until 2000.”). 

Addressing the CMP, the request for hearing contended that the CMP is excessive.  Request for Hearing at 13-17.  Without addressing the regulatory definition of “willful neglect” found at 45 C.F.R. § 160.401, the request for hearing argued that any violations did not amount to willful neglect.  Request for Hearing at 14-15.  Likewise, without addressing the pertinent regulatory factors enumerated at 45 C.F.R. § 160.408, the request for hearing argued that the CMP was excessive.  Request for Hearing at 15-17. 

The Civil Remedies Division issued my standing pre-hearing order (Pre-Hearing Order) on July 19, 2021.  On August 10, 2021, I held the first of two pre-hearing conferences.  At that time, I observed that “Respondent is represented by counsel from the same law firm . . . that is identified as a business associate of Respondent,” and that “the proposed

Page 11

CMP at issue here is based, in part, on a finding of fact that Respondent and Secrest ‘did not enter into a written business associate agreement until September 20, 2019.’”  August 12, 2021 Order at 2-3.  I “recommended that counsel for Respondent expeditiously conduct the necessary due diligence to rule out the possibility of any potential conflicts that could stem from representation of Respondent in this matter.”  August 12, 2021 Order at 3.  I also set a schedule for both discovery and the filing of pre-hearing exchanges.  August 12, 2021 Order at 1-2. 

For nearly the next six months, the parties engaged in a protracted and acrimonious discovery process.  On January 24, 2022, I issued an order directing the parties to provide memoranda and supporting documentation that would facilitate my ruling on numerous discovery disputes.  My 10-page order focused on two broad issues:  1.) Respondent’s claims that “Phoenix Healthcare, LLC, d/b/a Green Country Care Center” is not the proper Respondent; 2.) The Secrest law firm’s role as representative for GCCC, while also being a potential witness and party.  I directed the parties to provide responses to the order.  I further ordered that “[i]f, based on its analysis of the issues presented [in the order], Secrest determines that withdrawal from representation is appropriate, it should file notice of its intent to withdraw from representation in lieu of a response to this order.”  January 24, 2022 Order at 10.  Thereafter, on February 3, 2022, Mr. Hill filed notice of the Secrest firm’s intent to withdraw from representation.  

Respondent obtained substitute counsel on February 11, 2022, and I convened a second pre-hearing conference on March 21, 2022.  During the pre-hearing conference, as reflected by my March 22, 2022 Order, I explained that, after I resolved the pending matter involving the identity of Respondent (which Respondent, on April 25, 2022, conceded was “Phoenix Healthcare, LLC d/b/a Green Country Care Center”), I would re-open the discovery process on an accelerated schedule.  In an order dated June 3, 2022, I set a new discovery and pre-hearing exchange schedule. 

OCR filed its pre-hearing exchange, to include a combined pre-hearing brief and motion for summary judgment (OCR Br.) and 54 proposed exhibits (OCR Exs. 1-54), on October 28, 2022.  OCR’s pre-hearing exchange included the written direct testimony of the complainant (OCR Ex. 4) and Michael Rushanan, Ph.D. (OCR Ex. 27).  Respondent filed its pre-hearing exchange, to include a response to OCR’s motion for summary judgment (R. Br.) and nine proposed exhibits (R. Exs. 1-9), on December 2, 2022.  On December 19, 2022, OCR filed a reply brief.  At that time, OCR also objected to Respondent’s witness list and requested an opportunity to cross-examine two witnesses. 

Respondent submitted as written direct testimony the April 30, 2020 affidavits of its then-administrator, Ms. Justice, and a Secrest firm paralegal, Ms. Kennemer.  R. Exs. 2, 8; see OCR Ex. 18 at 5.  Although Respondent listed six other witnesses on its list of proposed witnesses, it did not submit the written direct testimony of any of these witnesses.  Pre-Hearing Order § 8 (“If a party seeks to present witness testimony (other than expert

Page 12

witnesses), it must submit the complete, written direct testimony of any proposed witness as a proposed exhibit.”).  Nor did Respondent provide notice that it was unable to obtain the testimony of any prospective witnesses.  Pre-Hearing Order § 8 (“If a party is unable to obtain written direct testimony from a witness due to a lack of cooperation, or if the party believes that a witness is an adverse or hostile witness, then the party must, at the time it files its pre-hearing exchange, identify the witness and present the legal and factual basis for concluding that the witness should be considered an adverse or hostile witness.”).  Respondent also did not request an opportunity to cross-examine OCR’s witnesses.  See Pre-Hearing Order § 9 (“If Respondent wants to cross-examine any of OCR’s witnesses, Respondent must file a notice naming the specific witness(es) it wants to cross-examine.  This notice must be separate from Respondent’s brief, and it must be filed contemporaneous with its pre-hearing exchange.”).  Because Respondent did not request a hearing to cross-examine OCR’s witnesses, and it did not provide written direct testimony for six of its listed witnesses (nor allege that it was unable to obtain their written testimony), a hearing is unnecessary for cross-examination of OCR’s witnesses or for direct examination of any other witnesses.

With respect to OCR’s request to cross-examine two witnesses for whom Respondent submitted April 2020 affidavits, there is simply no need to schedule a hearing to allow for cross-examination of these witnesses.  Ms. Kennemer, in her capacity as a paralegal for the Secrest firm, submitted an affidavit in April 2020 in which she addressed telephone contact between the Secrest firm and the complainant.  R. Ex. 2 at 1-2.  Ms. Kennemer validated that “[the complainant] was sent a letter that advised the records were in our office and were ready for pickup as soon as payment was received.”  R. Ex. 2 at 1.  Likewise, Ms. Kennemer cited the subsequent July 1, 2019 letter that informed the complainant that a copy of electronic records would be provided upon receipt of $200.  R. Ex. 2 at 1-2; see OCR Ex. 13 at 1.  The fact that the Secrest firm informed the complainant that she would be given either hard or electronic copies of the designated record set upon receipt of the fee requested by the Secrest firm is not in dispute, nor is the fact that the complainant refused to pay the requested fee and therefore did not obtain a copy of the records until the Secrest firm furnished the records at no cost on January 30, 2020.  OCR Ex. 15 at 1.  Further, to the extent Ms. Kennemer’s affidavit reports that “[i]t wasn’t until we received the OCR’s correspondence dated June 25, 2019, that [the complainant] wanted electronic copies of the records,” R. Ex. 2 at 1, this statement is patently inconsistent with the evidence of record; nearly two months earlier, on April 30, 2019, OCR plainly informed Respondent that the complainant “alleges that on March 14, 2019, [it] charged her an amount other than a reasonable, cost-based fee in response for access to an electronic copy of [the AP’s] medical records.”  OCR Ex. 10 at 1 (italics added).  Inasmuch as Ms. Kennemer’s affidavit serves no useful purpose, there is no relevant or material evidence that could result from cross-examination of this witness.  See 45 C.F.R. §§ 160.538(d) (“The ALJ must permit the parties to conduct cross-

Page 13

examination of witnesses as may be required for a full and true disclosure of the facts.”); 160.540(c) (“The ALJ must exclude irrelevant or immaterial evidence.”).¹⁰

Likewise, OCR also requests an opportunity to cross-examine Ms. Justice, for whom Respondent submitted her April 2020 affidavit as her written direct testimony.  R. Ex. 8.  Ms. Justice’s affidavit addressed the financial status of “Green Country Care Center,” and not Phoenix Healthcare, LLC,which operates several skilled nursing facilities, to include Green Country Care Center.¹¹  See Respondent’s April 25, 2022 Response at 1-2 (“Green Country Care Center, Inc. is not a covered entity.  Green Country Care Center, Inc. is simply the property owner of the facility named Green Country Care Center.  Phoenix Healthcare, LLC d/b/a Green Country Care Center is the covered entity in this matter.”).  Further, to the extent Ms. Justice addresses “Green Country Care Center’s” ability to pay a CMP based on July 2019 financial information, such a snapshot of “Green Country Care Center’s” ability to pay the CMP more than three years ago is neither relevant nor material to the ability of Phoenix Healthcare, LLC d/b/a Green Country Care Center to pay a $250,000 CMP proposed in March 2021.  See OCR Br. at 29 (“Phoenix is a substantial entity; it owns and operates six nursing homes and employs more than 500 people and has considerable resources.”).  Additionally, in its April 25, 2022 response, Respondent reported that Ms. Justice’s employment ended on October 20, 2021; it is unclear what information, on cross-examination, Ms. Justice would be able to provide regarding Respondent’s current ability to pay a CMP.  To the extent Ms. Justice addressed the financial resources of GCCC as a stand-alone entity in July 2019, and not the present resources of the covered entity and Respondent, Phoenix Healthcare, LLC d/b/a Green Country Care Center, her affidavit is simply irrelevant to the question of Respondent’s current ability to pay a CMP.¹²

The evidentiary record is closed.  Respondent has not requested cross-examination of any witnesses and OCR has not requested cross-examination “as may be required for a full

Page 14

and true disclosure of facts.”  45 C.F.R. § 160.538(d).  An in-person hearing is unnecessary, and I will decide this case on the merits.¹³

II.    Issues

1. Whether Respondent violated 45 C.F.R. § 164.524(b)(2) between May 30, 2019 and January 29, 2020, and if so, whether the penalty tier is willful neglect. 
2. Whether Respondent violated 45 C.F.R. § 164.524(c)(4) on July 1, 2019, and if so, whether the penalty tier is willful neglect. 
3. Whether Respondent violated 45 C.F.R. § 164.502(e) from March 30, 2015, through September 19, 2019, and if so, whether the penalty tier is reasonable cause. 
4. Whether a $250,000 CMP is justified. 

III.  Jurisdiction

I have jurisdiction to decide this case.  45 C.F.R. § 160.504. 

IV.   Findings of Fact, Conclusions of Law, and Analysis¹⁴

1. The complainant requested a copy of the AP’s medical records on March 13, 2019. 
2. The complainant refused to pay either $467.50 for a hard copy of the AP’s medical records or $200 for an electronic copy of the AP’s medical records.    
3. Respondent provided an electronic copy of the requested medical records on January 30, 2020.
4. Respondent violated 45 C.F.R. § 164.524(b)(2) when it did not timely provide the complainant with the requested copy of the AP’s medical records within 30 days of April 30, 2019, the date OCR initially provided written notice to Respondent regarding the complaint and pending request for an electronic copy of the AP’s records.

Page 15

In its proposed determination, OCR determined that Respondent violated 45 C.F.R. §  164.524(b)(2) beginning on May 30, 2019, which was more than 60 days after the complainant requested a copy of the AP’s records (OCR Ex. 7) and 30 days after OCR informed GCCC of the complainant’s allegation that GCCC “charged her an amount other than a reasonable, cost-based fee in response for access to an electronic copy of her medical records.”  OCR Ex. 10 at 1. 

Pursuant to 45 C.F.R. § 164.524(b)(2)(i), a covered entity “must act on a request for access no later than 30 days after receipt of the request” as listed below: 

(A) If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested . . . .

(B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section. 

The relevant and material facts are not complicated.  The complainant requested a copy of the AP’s medical records on March 13, 2019.  OCR Ex. 7 at 1.  The pre-printed form utilized by Respondent did not allow the requestor to indicate the requested format of the records (e.g., electronic or hard copy), nor did the pre-printed information on the form address how fees would be calculated.  OCR Ex. 7 at 1.  Respondent, through its legal counsel, initially informed the complainant that it would provide access to hard copies of the medical records upon receipt of $467.50, which was based on a copy rate of 50 cents per page.  OCR Ex. 9.  The complainant believed this amount was inconsistent with HIPAA and filed successive complaints with OCR in April and May of 2019 (OCR Exs. 4, 5), and refused to pay $467.50 for the records.  Because she did not remit payment, Respondent did not provide the requested copy of the AP’s medical records. 

Even if Respondent initially believed that the complainant was seeking a hard copy of the records, OCR, in its April 30, 2019 letter to Respondent, unambiguously explained that the complainant was, in fact, seeking an electronic copy of the AP’s medical records.  OCR Ex. 10 at 1.  OCR also pointedly explained that a covered entity may only request a “reasonable, cost-based fee” for records and that, pursuant to 45 C.F.R. § 164.524, the fee may only include the cost of labor, supplies, and postage, regardless of whether state law authorizes other costs.  OCR Ex. 10 at 3.  After Respondent disregarded this guidance, OCR opened an investigation on June 25, 2019.  OCR Ex. 12.  Only after receiving OCR’s June 25, 2019 correspondence, Respondent, in a letter dated July 1, 2019, informed the complainant that it would provide an electronic copy of the AP’s medical records upon receipt of $200, which it noted was calculated based on state law rather than based on the “reasonable, cost-based fee” outlined in 45 C.F.R. § 164.524.  OCR Ex. 13

Page 16

at 1.  Because the complainant was unwilling to pay the $200 requested by Respondent, the Secrest firm, on behalf of Respondent, did not provide the requested copy of the AP’s medical records at that time. 

Approximately six months into what essentially turned into a stalemate, OCR, on January 16, 2020, sent Respondent a resolution agreement and corrective action plan, at which time it informed Respondent that it had “violated several provisions of the Privacy Rule,” to include not providing timely access to the designated record set.  OCR Ex. 14 at 1.  Shortly thereafter, on January 30, 2020, Respondent, for the first time and more than 10 months after the complainant submitted her written request for a copy of the AP’s medical records, furnished the complainant with a compact disc containing an electronic copy of the AP’s medical records.  OCR Ex. 15 at 1.  The record thus indicates that even after OCR informed Respondent on April 30, 2019, that the complainant was seeking an electronic copy of the AP’s records and that only a “reasonable, cost-based fee” could be collected for an electronic copy of the records, Respondent nonetheless did not provide the requested records until January 30, 2020. 

Respondent argues that it provided timely access to the records, and the complainant simply failed to take the necessary action (e.g., pay the requested fee and pick up the records).¹⁵  R. Br. at 12-13.  Letters dated April 1 and July 1, 2019, clearly indicate that Respondent, through its business associate, conditioned providing the requested medical records upon receipt of an excessive fee that was neither reasonable nor cost-based.  OCR Exs. 9, 13; see infra Section IV, § 6-9.  By conditioning its fulfillment of the records request on either payment of $467.50 (for a hard copy) or $200 (for an electronic copy), which the complainant was unwilling to pay because the amounts were not reasonable and cost-based, Respondent did notprovide the requested records. 

Respondent also argues that it allowed the complainant an opportunity to “inspect” the records herself, and this somehow exempted it from its obligation to provide a copy of the requested records.  R. Br. at 12-13.  This claim evidences Respondent’s failure to understand its obligations under the Privacy Rule.  Contrary to Respondent’s

Page 17

understanding of HIPAA, it was required to provide a copy of the AP’s medical records that had been requested by the complainant.  The complainant requested a copy of the records; she did not request an opportunity to inspect the records.  45 C.F.R. § 164.524(a)(1) (right of access) (“[A]n individual has a right of access to inspect and obtain a copy¹⁶ of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set . . . .”); see 45 C.F.R. § 164.524(b)(2)(i)(A) (requiring a covered entity to “provide the access requested”). 

Respondent also argues that the complainant “agreed to pay the fee for such production established pursuant to Oklahoma law,” implying that its inability to furnish the record was simply because the complainant did not pay the agreed upon fee.  R. Br. at 12.  Even if, for the sake of discussion, the complainant had initially agreed to pay a fee that was in contravention of the Privacy Rule, it should have been apparent to Respondent by April 30, 2019, after the complainant had filed a complaint with OCR and OCR had sent correspondence explaining Respondent’s obligations under HIPAA, that the complainant did not intend to pay an unreasonable fee for a copy of the AP’s records.  See OCR Ex. 10. 

And to the extent Respondent argues that it first learned on June 25, 2019, that the complainant was requesting an electronic, rather than a hard copy, of the AP’s records, the evidentiary record plainly indicates that on April 30, 2019, OCR informed Respondent’s privacy officer that the complainant had requested an electronic copy of the records.¹⁷  R. Br. at 13; see OCR Ex. 10.  Further, if Respondent only became aware that records had been requested in electronic format upon receipt of OCR’s June 25, 2019 letter, then it simply disregarded the previous April 30, 2019 letter that it acknowledged it had received that same day.  See OCR Ex. 11 at 2 (Respondent’s claim, on July 12, 2019, that it learned from OCR’s June 25, 2019 correspondence that the complainant “wanted a digital copy of AP’s records” and Mr. Hill’s statement that his client received the letter from OCR on April 30, 2019).

Page 18

5. Respondent acted with willful neglect when it failed to provide timely access to records. 

OCR, in assessing the level of culpability, determined that Respondent acted with willful neglect.  OCR Ex. 21 at 7.  Willful neglect, pursuant to 45 C.F.R. § 160.401, is defined as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 

After the complainant requested a copy of the AP’s records on March 13, 2019, Respondent attempted to collect $467.50 based on a fee structure authorized under state law, rather than a “reasonable, cost-based fee” required under HIPAA.  OCR Exs. 7 at 1; 9 at 1.  Even if Respondent (rather than its business associate, the Secrest firm) was somehow unaware of its obligation to provide timely access to requested records at the time it notified the complainant of the $467.50 fee for the records, on April 30, 2019, OCR sent a letter to Respondent’s privacy officer that clearly informed it of its legal obligations under HIPAA.  OCR Ex. 10 at 3.  Not only did the letter caution that the complainant’s “allegation could reflect a violation of 45 C.F.R. § 164.524” (OCR Ex. 10 at 1), but it also informed Respondent that if OCR received “a similar allegation of noncompliance . . . in the future, [it] may initiate a formal investigation of that matter.”  OCR Ex. 10 at 3.  OCR explained that “[a] covered entity must act on the request for access no later than 30 days after receipt of such a request and, in certain circumstances, no later than 60 days after the receipt of such a request.”  OCR Ex. 10 at 1.  OCR explained that any fee for records may only include the cost of labor, supplies, and postage, even if state law allowed a greater fee, and advised Respondent to access a hyperlink to OCR’s website that contained “material explaining the Privacy Rule provisions related to Access to Medical Records.”  OCR Ex. 10 at 3.  Although Respondent argues that it “reasonably relied on the advice of its legal counsel to handle the matter in compliance with all applicable and relevant state and federal laws” (R. Br. at 15), the evidentiary record demonstrates that Respondent was squarely notified that its actions, as of April 30, 2019, could be in violation of the Privacy Rule and how it could comply with the Privacy Rule.  The fact that Respondent disregarded this advice and passed the letter on to the same counsel whose actions triggered OCR’s intervention in this matter evidences, at a minimum, a “reckless indifference” to its obligations under HIPAA.¹⁸  See 45 C.F.R. § 160.401.

Page 19

Respondent is a covered entity, and a covered entity is required to comply with HIPAA.  I recognize that Respondent was represented by its business associate law firm, but the evidence shows that OCR directly informed Respondent, on both April 30 and June 25, 2019, that the handling of the complainant’s records request could run afoul of the Privacy Rule.  OCR Exs. 10, 12.  The fact that Respondent failed to ensure that its business associate complied with the Privacy Rule, particularly after receiving correspondence from OCR, supports a finding of reckless indifference to its obligations under HIPAA.  Even if Respondent sought counsel regarding HIPAA matters from its business associate counsel, it utterly disregarded the notices OCR sent to its privacy officer.

6. In a letter dated July 1, 2019, Respondent informed the complainant that it would furnish an electronic copy of the AP’s medical records upon receipt of $200.
7. The $200 fee was based on Oklahoma state law, and Respondent has not claimed, much less made a showing, that $200 is a “reasonable, cost-based fee” for an electronic copy of the AP’s medical records. 
8. Respondent does not challenge OCR’s calculation that a “reasonable, cost-based fee” for an electronic copy of the AP’s records would be no more than $47.64 based on $21.88 (for sending a CD) and $25.76 for two hours of labor for scanning paper files, as necessary.
9. Respondent violated 45 C.F.R. § 164.524(c)(4) on July 1, 2019, when it sought $200 for an electronic copy of the AP’s records, which is more than $150 more than the unrefuted “reasonable, cost-based fee” for the AP’s medical records. 

OCR determined that Respondent violated 45 C.F.R. § 164.524(c) when it sent the complainant a letter on July 1, 2019, informing her that it would provide access to an electronic copy of the requested records upon receipt of $200.  OCR Ex. 21 at 7; see OCR Ex. 13 at 1.  OCR, relying on the testimony of Dr. Michael Rushanan (OCR Ex. 27), argues that Respondent charged fees that greatly exceeded its actual costs.¹⁹  OCR Br. at 19-20.

Page 20

Addressing the “reasonable, cost-based fee” to provide access to the requested records, OCR determined that “the total cost to send a CD with an electronic copy of the [AP’s] medical records should have been no more than $21.88.”  OCR Br. at 20 (citing OCR Ex. 47 at 2).  OCR also determined that, “[e]ven if some portion of the [AP’s] medical records were maintained exclusively in paper, [Respondent’s] costs to scan in that portion should have been far lower than the fees [Respondent] charged [the complainant]” and “should have taken no more than two hours of the employee’s time at a cost of $25.76.”  OCR Br. at 20-21. 

Respondent does not refute these calculations, nor does it offer an explanation of how the $200 it requested for an electronic copy of the AP’s records was, in fact, based on a “reasonable, cost-based fee.”²⁰  R. Br. at 13-15.  Rather, Respondent claims that Oklahoma Law allows it to charge amaximum of $200 plus postage or delivery fees.  R. Br. at 14, citing Okla. Stat. tit. 76, § 76-19.  Respondent further claims that “Secrest, on behalf of GCCC, maintained a reliance upon a sum-certain amount for the records based upon the understanding that the Oklahoma legislature would not have run afoul of HIPPA [sic] in adopting 76 O.S. § 19.”  R. Br. at 15. 

In the absence of any dispute that OCR’s figures are erroneous, Respondent has not challenged OCR’s calculation that the “reasonable, cost-based fee” to provide an electronic copy of the records should not have exceeded $47.64.  Respondent offers no explanation how, under the instant circumstances, $200, even if allowed under Oklahoma law, was actually a “reasonable and cost-based fee.”  Rather, Respondent charged the maximum amountallowable under state law, and has made no showing that charging the maximum amount was “reasonable and cost-based.”

10. Respondent acted with willful neglect when it requested a fee that was not “reasonable and cost-based” on July 1, 2019. 

Page 21

As previously explained, “Willful Neglect” is the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”  45 C.F.R. § 160.401.  OCR determined that the penalty tier for Respondent’s violation of 45 C.F.R. § 164.524(c)(4) was Willful Neglect and determined that it committed this violation for a single day on July 1, 2019. 

OCR directly notified Respondent’s privacy officer on April 30, 2019, that the complainant had filed a complaint with OCR alleging that Respondent had “charged her an amount other than a reasonable, cost-based fee in response for access to an electronic copy of her medical records.”  OCR Ex. 10 at 1.  OCR explained that any fees for access to records must be “reasonable and cost-based,” and limited to labor, supplies, and postage, even if state law authorizes other costs.  OCR Ex. 10 at 3.  Even though OCR informed Respondent that the complainant’s allegation “could reflect a violation of 45 C.F.R. § 164.524,” Respondent did not make sure that it charged a “reasonable, cost-based fee” for a copy of the requested medical records.  Rather, the record indicates that Respondent forwarded the letter to the Secrest firm, despite the April 30, 2019 letter’s discussion that the Secrest firm’s handling of the complainant’s records request had prompted OCR’s correspondence to Respondent. 

Nearly two months later, on June 25, 2019, OCR again sent a letter to Respondent’s privacy officer, at which time it reported, among other things, that “[t]o date, the Complainant has not received a response from [Respondent] or the law firm and has not received the AP’s medical records as requested,” and that “[t]hese allegations could constitute violations of 45 C.F.R. § 164.524.”  OCR Ex. 12 at 1-2.  Respondent thus had another opportunity to ensure that it, or its business associate, provided access and charged a “reasonable, cost-based fee,” but instead directed the correspondence to the Secrest firm.  OCR Ex. 11 at 2 (July 12, 2019 letter to OCR explaining, “After being advised in [OCR’s] correspondence of June 25, 2019, that [the complainant] wanted a digital copy of AP’s records we sent another correspondence to [the complainant] dated July 1, 2019 . . . notifying her of the adjusted cost for electronic production in accordance with 76 OKLA STAT § 19.”).  Respondent had an opportunity to ensure that, consistent with the guidance it received on April 30, 2019, it charged a “reasonable, cost-based fee,” yet it allowed the same business associate that triggered OCR’s involvement to again make access to medical records contingent on the payment of excessive fees. 

Respondent had direct knowledge that the actions of its business associate were possibly violative of the law and had triggered an OCR investigation, yet it made no effort to ensure compliance with HIPAA.  Such conduct amounts to reckless indifference to its obligation to comply with administrative simplification provisions.

11. Respondent violated 45 C.F.R. § 164.502(e) when it did not enter into a written business associate agreement with the Secrest firm until September 20, 2019,

Page 22

even though Respondent had engaged the Secrest firm as a business associate since 2000.

12. Respondent is liable for its violation of 45 C.F.R. § 164.502(e) no earlier than March 30, 2015, which is six years prior to the date OCR issued its notice of proposed determination.

OCR determined that “GCCC and Secrest did not enter into a written business associate agreement until September 20, 2019, in violation of 45 C.F.R. § 164.502(e).”²¹  OCR Ex. 21 at 7.  OCR determined that liability began on March 30, 2015, which was six years prior to the date of its letter, and continued until September 20, 2019, the date Respondent entered into a written business associate agreement.  OCR Ex. 21 at 7; see 45 C.F.R. § 160.414 (“No action under this subpart may be entertained unless commenced by the Secretary, in accordance with § 160.420, within 6 years from the date of the occurrence of the violation.”). 

Respondent stated that it “does not dispute the lack of a written Business Agreement, but, yet again, relied on the advice of counsel to determine the necessity of a written Business Agreement, as opposed to the oral agreement the parties entered around the year 2000, well before any requirement that a Business Agreement be in writing.”²²  R. Br. at 20. 

Significantly, Respondent had a facility policy entitled, “Business Associate Agreements,” that indicated it had been revised in February 2014, more than a year prior to the initial date of liability for the violation.  OCR Ex. 43.  The policy states, “Our facility may disclose . . . PHI . . . to business associates, or allow business associates to create or receive . . . PHI, upon the business associate’s signing a written agreement to appropriately safeguard such protected information.”  OCR Ex. 43 at 1.  The policy defines a business associate as the following:  

A business associate, for purposes of this policy, means a person or entity who is not an employee or workforce member of this facility; who performs or assists in the performance of a function or activity on behalf of the facility that involves the use or disclosure of . . . [PHI]; or, who provides

Page 23

legal, actuarial, accounting, consulting, data compilation, management, administrative, accreditation, or financial services. 

OCR Ex. 43 at 1.  In its April 1, 2019 letter to the complainant, the Secrest firm explained that the “firm handles all records requests for this facility.”  OCR Ex. 9 at 1.  Respondent conceded that it “admittedly did not have a written Business Agreement in place at the time the records were submitted to Secrest.”  R. Br. at 20.  Although Respondent claims that it “created [a business associate agreement] immediately upon notice that a written Business Agreement was necessary,” this claim is belied by Respondent’s own 2014 policy that confirms it was aware that a business associate included an entity that “performs or assists in the performance of a function or activity on behalf of the facility that involves the use or disclosure of [PHI]” or “provides legal . . . services.”²³  OCR Ex. 43 at 1.  The policy explicitly requires that Respondent “may disclose [PHI] . . . to business associates . . . upon the business associate’s signing a written agreement to appropriately safeguard such protected information.”  OCR Ex. 43 at 1.  Contrary to Respondent’s claim, it was aware, as evidenced by its own policy, that it was required to have a written business associate agreement with the Secrest firm yet did not enter into a written agreement with the Secrest firm until September 20, 2019.  OCR Ex. 24 at 3-8. Although Respondent acknowledges that the Secrest firm was its business associate since 2000, long before it entered into a written business associate agreement, an action under HIPAA must be initiated within six years of the violation.  Therefore, liability cannot pre-date March 2015, which is six years prior to the date of the notice of proposed determination. 45 C.F.R. § 160.414; see, e.g.,Request for Hearing (“The written Business Associate Agreement was explicitly declared retroactive until 2000.”).  

13. Respondent does not challenge OCR’s determination that the penalty level for its violation of 45 C.F.R. § 160.502(e) is at the reasonable cause level of culpability. 

Reasonable cause is defined as “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity . . . did not act with willful neglect.”  45 C.F.R. § 160.401.  Inasmuch as Respondent had a policy instructing that it enter into a written business associate agreement with its business associates, to include any entity that “performs or assists in the performance of a function or activity on behalf of the facility that involves the use or disclosure of [PHI]” or “provides legal . . . services, ” it knew, or should have known, that it was required to have a written business associate agreement with the Secrest firm.

Page 24

OCR Ex. 43 at 1.  Respondent “does not dispute the lack of a written Business Agreement,” nor does it challenge OCR’s determination that the violation was at the reasonable cause level of culpability.  See R. Br. at 20.  There is no basis to disturb OCR’s determination. 

14. OCR’s determination that a CMP of $250,000 is justified is not based on an adequate evaluation of all factors listed at 45 C.F.R. § 160.408. 
15. A CMP of $75,000 is warranted based on evaluation of the factors listed at 45 C.F.R. § 160.408.  

In its proposed determination, OCR stated that it “finds GCCC liable” for CMPs, as follows: 

• $3,511,789 for the violation of 45 C.F.R. § 164.524(b)(2) (timely action by covered entity)
• $59,522 for the violation of 45 C.F.R. § 164.524(c)(4) (provision of access, fees)
• $500,000 for the violation of 45 C.F.R. § 164.502(e) (business associate agreement).

OCR Ex. 21 at 9.  As for the $3,511,789 CMP for the first violation, OCR based it on willful neglect not corrected in 30 days for a total of 245 days.  OCR Ex. 21 at 7, 9.  The provision of access CMP of $59,522 was based on a single-day violation that occurred on July 1, 2019, which is the date Respondent informed the complainant that it would provide an electronic copy of the medical records upon receipt of $200.  OCR Ex. 21 at 7, 9.  The $500,000 CMP for the third violation involving Respondent’s failure to enter into a business associate agreement with the Secrest firm is based on a daily CMP of $1,000, as adjusted annually for inflation, for 1,575 consecutive days.²⁴  OCR Ex. 21 at 7, 9, 12.

Respondent’s brief is not particularly enlightening with respect to OCR’s application of the factors at 45 C.F.R. § 160.408.  To the extent Respondent challenges the CMP scheme enacted by Congress, I am not free to disregard a statutory CMP schedule.  R. Br. at 23.  Respondent has not offered any specific argument that OCR did not adequately consider its financial condition as required by 45 C.F.R. § 160.408(d); in particular, Respondent failed to acknowledge, much less address, OCR’s claims that Respondent

Page 25

currently has the financial resources to pay the $250,000 CMP.  OCR Br. at 29 (citing, inter alia, OCR Exs. 45 (documentation of receipt and forgiveness of $3.5 million Paycheck Protection Loan); 54 (federal tax returns returns).  And it is not lost on me that Respondent failed to fully cooperate with OCR’s efforts to assess its financial condition and ability to pay prior to the issuance of the notice of proposed determination.  See, e.g.,OCR Ex. 19 at 2 (“Despite repeated requests for financial information to support GCCC’s position of financial hardship, GCCC has only produced a single income statement from July 2019.”).  Respondent has not claimed that OCR improperly exercised its discretion pursuant to 45 C.F.R. § 160.408(e).  There is no basis to disturb OCR’s determinations that the CMP should be reduced to $250,000 based on evaluation of 45 C.F.R. § 160.408(d) and (e).  OCR Ex. 21 at 9. 

Although OCR explicitly addressed 45 C.F.R. § 160.408(d) and (e) in its proposed determination, the notice of proposed determination did not address how OCR evaluated a number of other enumerated factors when it determined the amount of the CMP.  See 45 C.F.R. § 160.408(a)-(c).  There is no doubt that Respondent violated multiple provisions of the Privacy Rule and did so at the willful neglect and reasonable cause penalty tiers.  However, the violations, as cited by OCR, distill down to a single, albeit prolonged and significant, incident in which Respondent, which did not have a written agreement with a longstanding law firm business associate, sought to overcharge the complainant by approximately $150 and did not request a “reasonable, cost-based fee” for an electronic copy of the AP’s records.²⁵  See OCR Ex. 21 at 9.  Further, although Respondent disregarded OCR’s technical guidance regarding the “reasonable, cost-based fee,” the amount requested by Respondent was based on a state law governing access to medical records in Oklahoma.  See Okla. Stat. tit. 76, § 76-19; see also OCR Ex. 21 at 7 (notice of proposed determination citing violation of 45 C.F.R. § 164.524(c)(4), and acknowledging that Respondent “erroneously relied on Oklahoma state law, which is in contravention of the fee structure permitted under 164.524(c)(4)”).  Respondent violated HIPAA when it, through its business associate, predicated timely access to records on the payment of fees authorized by state law but not allowable under HIPAA, but the fact-specific circumstances presented here, when evaluated under 45 C.F.R. § 160.408(a) through (c), warrant a CMP lower than the proposed CMP of $250,000.  

There is a dearth of jurisprudence addressing the Privacy Rule issues addressed herein, as demonstrated by the fact that neither party cited to a court decision addressing an individual’s right of access to PHI.  And although OCR publishes reports of resolution agreements and CMPs on its website, OCR did not offer any comparative examples of

Page 26

other CMPs imposed under similar circumstances.  See U.S. Dep’t of Health & Human Servs., Resolution Agreements, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html (last visited Feb. 7, 2023).  In the absence of any reference points offered by the parties, I endeavor, based solely on the regulatory provision and the unique facts of this case, to ensure that the CMP is justified based on the evaluation of all the factors listed in 45 C.F.R. § 160.408.²⁶ 

The Fifth Circuit Court of Appeals considered the reasonableness of the CMP imposed against the University of Texas M.D. Anderson Cancer Center.  Univ. of Tex. M.D. Anderson Cancer Ctr. v. U.S. Dep’t of Health & Human Servs., 985 F.3d 472 (5th Cir. 2021).  OCR had proposed a CMP of $4,348,000, which it successfully defended before both an ALJ and the Departmental Appeals Board.  M.D. Anderson, 985 F.3d at 475.  However, upon M.D. Anderson’s filing of its petition for review with the Circuit Court, OCR “conceded that it could not defend its penalty and asked [the Circuit Court] to reduce it by a factor of 10 to $450,000.”  M.D. Anderson,985 F.3dat 475.  Unlike the instant case, involving a single records request submitted to a comparatively smaller entity that, through its business associate law firm, overcharged based on erroneous reliance on state law, the CMP against M.D. Anderson involved a very large entity that had a series of incidents resulting in the potential compromise of PHI involving a total of approximately 35,000 individuals.  M.D. Anderson, 985 F.3dat 474. 

While much of the discussion in the M.D. Anderson decision is irrelevant to the instant case, I note that the Circuit Court determined that “[t]he Government has offered no lawful basis for its civil monetary penalties against M.D. Anderson.”  M.D. Anderson, 985 F.3dat 481.  The Circuit Court explained the following: 

Those erroneous premises are particularly problematic because they tainted other parts of HHS’s decision.  For example, HHS’s own regulations require it to consider the following factors (among others) in assessing a CMP: 

(1) Whether the violation caused physical harm;

(2) Whether the violation resulted in financial harm;

(3) Whether the violation resulted in harm to an individual’s reputation; and

(4) Whether the violation hindered an individual’s ability to obtain health care. 

Page 27

45 C.F.R. § 160.408(b); M.D. Anderson, 985 F.3dat 481. 

In its notice of proposed determination, OCR stated that it “has considered all factors in accordance with 45 C.F.R. § 160.408.”  OCR Ex. 21 at 8.  However, and in reality, OCR only addressed the specific factors at 45 C.F.R. § 160.408(d) and (e) in its discussion of the CMP.  OCR Ex. 21 at 8-9.  OCR did not address its evaluation of the factors outlined at 45 C.F.R. § 160.408(a) through (c).²⁷ 

Pursuant to 45 C.F.R. § 160.408(a), OCR must consider the nature and extent of the violation, such as the number of individuals affected and the time period during which the violation occurred.  Only one individual was adversely affected by this violation.  Two of the violations persisted for a lengthy period of time, which is also accounted for by OCR’s determination that sizeable daily CMPs accrued for each of those violations.  OCR Ex. 21 at 9.  The length of the violations is a factor in my determination that a significant, albeit reduced, CMP of $75,000 is justified.

OCR must also consider the nature and extent of the harm resulting from the violation, such as whether the violation caused physical harm, financial harm, harm to reputation, or hindered an individual’s ability to obtain health care.  45 C.F.R. § 160.408(b).  The first three factors are irrelevant. 

As to the fourth factor (hindering an individual’s ability to obtain health care), the evidence does not support, under the particular and unique circumstances presented here, that Respondent’s failure to provide timely access to records hindered the AP’s ability to obtain health care.  The complainant testified at a deposition that she brought the AP to an emergency department on March 12, 2019 to “get her proper treatment, which [she] didn’t believe [the AP] was getting” at the facility.  R. Ex. 1 at 37.  The complainant testified “no one at [the facility] had been checking [the AP’s] blood sugar levels or giving her insulin even though it was clear from her medical records that she had diabetes.”  OCR Ex. 4 at 1.  The complainant also testified that the AP was “found to be septic and extremely dehydrated.”  OCR Ex. 4 at 1.  At the same deposition, the complainant also testified that emergency department personnel were “unhappy” about “[t]he condition [the AP] was in” because “[h]er blood sugar was very dangerous, high levels.  She was severely dehydrated[.]  [S]he was septic.”  R. Ex. 1 at 42.  The complainant testified that an emergency department physician told her that [the AP] had “permanent kidney damage that cannot be reversed from untreated diabetes.”  R. Ex. 1 at 43.  The complainant further testified that she could not recall how long [the AP] was in

Page 28

the acute care hospital, but the duration could have been anywhere from “three weeks to a week.”  R. Ex. 1 at 38-39.  The complainant reported that the AP had a “short stay” at another skilled nursing facility following her discharge from the acute care hospital and was then transferred to another skilled nursing facility on April 5, 2019.  R. Ex. 1 at 38-39.  The complainant’s claims of inadequate care by Respondent (which are beyond the scope of my review), combined with the AP’s admission to an acute care hospital and two other skilled nursing facilities within the 30 days following the complaint’s request for a copy of her records, do not evidence that, under the unique and fact-specific circumstances presented here, the complainant’s inability to obtain a copy of the AP’s medical records within 30 days hindered her ability to obtain health care.  45 C.F.R. § 160.408(b)(4); see 45 C.F.R. § 164.524(b)(2) (allowing 30 days to provide access to medical records).  To the contrary, the complainant’s statements, if accepted as true, suggest that the medical records would document inadequate care, or even a lack of care.  OCR has failed to draw a connection between the considerable delay in access to the AP’s designated record set with the AP being hindered in her ability to receive care following her discharge from the facility, and there is simply no support for OCR’s claim in its briefing that an evaluation of 45 C.F.R. § 160.408(b)(4) weighs against Respondent.  OCR Br. at 28-29.

With respect to 45 C.F.R. § 160.408(c), another factor for evaluation is “[t]he history of prior compliance with the administrative simplification provisions, including violations, by the covered entity,” with consideration including factors such as repeat noncompliance and efforts to attempt to correct previous indications of noncompliance, which are both inapplicable to the present circumstances because there is no reported history of past noncompliance.  45 C.F.R. § 160.408(c)(1)-(2).  Another listed factor at 45 C.F.R. § 160.408(c)(4), regarding how the covered entity has responded to a prior complaint, is similarly inapplicable because there is no indication of past noncompliance prior to the complaints that are the subject of this decision.²⁸  The factor listed at 45 C.F.R. § 160.408(c)(3) is relevant, in that Respondent did not respond to the technical guidance from the Secretary regarding the present complaints; as a result of its failure to respond to the technical guidance, daily violations, with associated CMPs, continued for many months.  See OCR Br. at 29.  Not only did I consider Respondent’s disregard of OCR’s technical guidance as evidence of the level of culpability (i.e., willful neglect), but I also considered this failure as a factor supporting the imposition of a significant CMP of $75,000.

Page 29

Thus, in considering 45 C.F.R. § 160.408(a) through (c), which were not addressed by OCR in its proposed determination, the majority of the enumerated factors are inapplicable or weigh in favor of Respondent.  See M.D. Anderson, 985 F.3dat 481 (addressing the failure to consider factors such as a lack of physical harm, lack of financial harm, lack of harm to reputation, and lack of hinderance of an individual’s ability to obtain health care tainted the decision). 

Based on the foregoing discussion, a CMP of $75,000 is an appropriate CMP based on consideration of the factors at 45 C.F.R. § 160.408 as they apply to the specific facts and circumstances presented in this case.²⁹

V.     Conclusion

I uphold the violations cited under 45 C.F.R §§ 164.524(b)(2), 164.524(c)(4), and 164.502(e).  A $75,000 CMP is justified for Respondent’s violations of the Privacy Rule.

---

Endnotes

¹  As a covered entity, Respondent transmits health information in electronic form.  45 C.F.R. § 160.103.  With respect to the circumstances presented herein, Respondent transmits electronic copies of its residents’ medical records.

²  As relevant here, a designated record set is “[a] group of records maintained by or for a covered entity that is . . . [t]he medical records and billing records about individuals maintained by or for a covered health care provider.”  45 C.F.R. § 164.501.

³  The Health Information Technology for Economic and Clinical Health (HITECH) Act, Pub. L. No. 111-5, 123 Stat. 115 (2009), which was enacted on February 17, 2009, strengthened certain protections established under HIPAA, to include limiting the fees charged to provide an individual with a copy of electronic medical records.  42 U.S.C. § 17935.  Following enactment of the HITECH Act, the Secretary promulgated rulemaking in January 2013 to implement that legislation.  78 Fed. Reg 5,566 (Jan. 25, 2013).

⁴  Respondent did not properly mark or paginate its exhibits.  See Pre-Hearing Order § 6(c).  I cite the page number of the deposition testimony (R. Ex. 1), and I refer to the PDF page number when citing to Respondent’s other exhibits.  

⁵  To the extent the conduct of the business associate is relevant to the discussion herein, I note that Respondent’s current counsel reported that Respondent’s former counsel and lead attorney for the business associate, Mr. Hill, passed away shortly after he withdrew from representation.  R. Br. at 4 n.2.  I had intended to address whether the imposition of a sanction would be appropriate under some of the circumstances presented herein, to include counsel’s frivolous claim that Phoenix Healthcare, LLC d/b/a Green Country Care Center was not the Respondent, which resulted in significant delay of these proceedings and the unnecessary expenditure of considerable resources by this tribunal.  See 42 U.S.C. §§ 1320a-7a(a)(c)(4), 1320d-5(a)(2); 45 C.F.R. § 160.530; see also January 24, 2022 Order (outlining concerns with numerous statements by Mr. Hill).  In light of Mr. Hill’s passing, a sanction would serve no useful purpose.

⁶  In a letter dated July 18, 2019, Respondent informed OCR that Ms. Justice, its then-administrator, was its privacy officer.  OCR Ex. 22 at 1; see, e.g.,OCR Ex. 44 at 1; R. Ex. 8 at 1 (identifying Ms. Justice as Respondent’s administrator).

⁷  The evidence indicates there was an exchange of telephone calls and/or voicemail messages between the complainant and the Secrest firm regarding whether the records could be disclosed in an electronic format for a lower cost.  See OCR Exs. 3 at 2; 6 at 2; 11 at 1; 22 at 3-4; R. Ex. 1 at 173-79.  The voicemails are irrelevant to the question of whether a “reasonable, cost-based fee” was charged for access to the AP’s records.  Regardless of whether the Secrest firm sought $467.50 for hard copy records or $200 for electronic records, the evidentiary record does not support that Respondent charged a “reasonable, cost-based fee” for the AP’s medical records.

⁸  The complainant later acknowledged that “the first thing [she] did with them [the records], as soon as [she] got them, was [she] took them to [her] attorney’s office.”  R. Ex. 1 at 141.

⁹  Respondent submitted the same affidavits as its written direct testimony.  R. Exs. 2, 8.

¹⁰  Because this affidavit was previously submitted to OCR in May 2020 as a supporting exhibit to correspondence submitted on behalf of Respondent (OCR Ex. 18 at 5), I do not exclude it from the evidentiary record on the basis of relevance and materiality.

¹¹  The evidentiary record shows that the proprietor of Phoenix Healthcare, LLC collectively reports the income of its skilled nursing facilities in a single federal tax return.  See OCR Ex. 54 at 17-18; 32-33 (“Profit or Loss from Business (Sole Proprietorship)”), IRS Form Schedule C (Form 1040) (tax years 2019 and 2020).

¹²  Similarly, because Respondent submitted this affidavit as a supporting exhibit in support of its May 2020 correspondence, I will not exclude it on the basis of relevance and materiality.  See OCR Ex. 18 at 5. 

¹³  Although OCR filed a motion for summary judgment, it is unnecessary to rule on this motion.

¹⁴  Findings of fact and conclusions of law are in italics and bold font.

¹⁵  Inasmuch as the complainant listed her name and mailing address on the form requesting a copy of the records, it is unclear why it would be incumbent on her to pick up the requested records.  OCR Ex. 7 at 1-2.  I also observe that both letters from the Secrest firm outlining the required fees informed the complainant that the records would not be produced until after the requested fees were paid.  OCR Exs. 9 at 1 (“Upon receipt of your check, we will start the copying process and forward a hard copy of the requested records to you.”); 13 at 1 (“Upon receipt of your check, we will start the copying process and forward a hard copy of the requested records to you.”).  Because the complainant did not pay the requested fee, it is illogical to believe that the records were ready and awaiting pickup.

¹⁶  I note that this phrase is written in the conjunctive, rather than the disjunctive.  And contrary to Respondent’s erroneous understanding of its obligations, merely allowing an individual to stand at the nursing station to review a chart does not satisfy a request for a copy of medical records.  See R. Br. at 12 (“[The complainant] was allowed the opportunity to review the AP’s nursing home chart at [the facility] on two separate occasions . . . . However, [the complainant] refused because she did not have time to stand at the nurses desk to review the documents and ‘really just wanted to get copies of it.’”).

¹⁷  I reiterate that OCR determined that the violation began 30 days after April 30, 2019, rather than 30 days after the complainant submitted the form requesting a copy of the records.  OCR Ex. 21 at 7.

¹⁸  Respondent makes the factually erroneous claim that “OCR solely dealt with Mr. Hill, and the Secrest firm, not any individual at GCCC or individual associated with Respondent besides its legal counsel.”  R. Br. at 16.  OCR directed its April 30, 2019 letter to Respondent’s privacy officer, who was Ms. Justice.  OCR Ex. 10 at 1; see OCR Ex. 22 at 1 (Respondent’s July 18, 2019 report that “GCCC’s privacy officer is [Ms.] Justice, and she has been designated in that position since June 25, 2018.”).  OCR once again directed correspondence to Respondent’s privacy officer on June 25, 2019, at which time it notified Ms. Justice that it had opened an investigation.  OCR Exs. 10 at 1; 12 at 1.

¹⁹  Although OCR and its witness address the “reasonable, cost-based fee” for both hard copy and electronic copies of the AP’s medical records, I limit discussion herein to the electronic copy because OCR based the cited single-day violation on Respondent’s July 1, 2019, request for $200 for an electronic copy of the AP’s record.  OCR Ex. 21 at 7; see OCR Ex. 13 at 1.

²⁰  To the extent Respondent argues that it was not informed of what a reasonable fee would be, such a claim is immaterial here.  See R. Br. at 15.  Respondent admits it charged a per-page fee allowed under state law and has never alleged that this per-page fee represents its actual costs.  Respondent offers no authority requiring OCR to inform it of what the reasonable fee would be, which is understandable because there is no such statutory or regulatory requirement for OCR to make such an individualized fee determination for a covered entity.

²¹  Respondent and the Secrest firm entered into a business associate agreement the same day that the Secrest firm responded to OCR’s additional data request on September 20, 2019.  OCR Ex. 24.

²²  Respondent does not offer any evidence reflecting the actual date it claims to have entered into an oral agreement with its business associate.  Nor did Respondent outline the terms of the longstanding oral agreement.

²³  I additionally observe that this claim is inconsistent with the evidence of record.  On July 18, 2019, Respondent, through the Secrest firm, refused to provide a copy of a written business associate agreement in response to OCR’s June 25, 2019 request for a copy of the business associate agreement.  OCR Exs 12 at 9; 22 at 2.

²⁴  Based on a statutory cap of $100,000 per year, OCR determined that Respondent was liable for a $500,000 CMP for its failure to have a written business associate agreement.  OCR Ex. 21 at 9, 12.

²⁵  In fact, had the complainant opted to promptly pay the $200 requested on July 1, 2019, in order to quickly obtain access to the requested medical records, the duration of the CMP may have been shortened by many months, as Respondent would have provided access prior to January 30, 2020.  See OCR Ex. 15 at 1. 

²⁶  I note that OCR filed a 30-page brief with its pre-hearing exchange.  OCR devoted less than two pages of its brief to its argument that the CMP is justified.  OCR Br. at 28-29.  This is consistent with the notice of proposed determination, which devoted only several sentences out of a 10-page letter to justify the CMP based on the specific factors outlined in 45 C.F.R. § 164.408.  OCR Ex. 21 at 8-9.

²⁷  OCR, for the first time in its brief, cited the factors at 45 C.F.R. § 160.408(b)(4) and (c)(3) as weighing in favor of the proposed CMP.  OCR Br. at 28-29.  OCR did not address, in either its proposed determination or its brief, how it evaluated obvious favorable or mitigating factors.

²⁸  To the extent the complainant filed two complaints, I note that the complaints were filed weeks apart in consecutive months.  OCR Exs. 4, 5; see R. Ex. 1 at 204 (complainant’s deposition testimony that she did not recall whether she had filed a second OCR complaint, and explanation that “I may have, just because — maybe I didn't do something right on the first one, so I had to resubmit it.”).

²⁹  I do not make any findings that the Secrest firm, as a business associate, violated any provision of the Privacy Rule; such questions are not within the scope of my review.  Nonetheless, I recognize that the Secrest firm claimed that it “provides all manner of legal services to [GCCC], including litigation defense, assistance with policy development, assistance with employment issues, assistance with receivership administration, and virtually any legal assistance that is sought.”  OCR Ex. 24.  Although Respondent cannot evade liability by casting blame on its business associate, I acknowledge that the Secrest firm squandered opportunities to help its client and business associate avoid liability under HIPAA.  For example, rather than immediately entering into a written business agreement following OCR’s June 25, 2019 request for a copy of a written business agreement, Mr. Hill invoked “attorney-client privilege” and ultimately did not enter into a written business agreement with Respondent until September 20, 2019. OCR Ex. 22 at 2; see OCR Exs. 12 at 9; 24 at 3-8.