Gums Dental Care, LLC., DAB CR6367 (2023)

Department of Health and Human Services
DEPARTMENTAL APPEALS BOARD
Civil Remedies Division

Director of the Office for Civil Rights

v.

Gums Dental Care, LLC.

Docket No. C-22-747
Decision No. CR6367

DECISION

Respondent is Gums Dental Care, LLC, a solo dental practice owned and operated by Anna Gumbs, DMD, in Silver Spring, Maryland.  The complainant and affected party (AP) in this case requested a copy of her and her three children’s dental records on June 26, 2019.1  Respondent did not provide the requested records until May 17, 2022, when it made the records available via Dropbox.2  

In response to a complaint filed by the AP on August 2, 2019, the Director of the Office for Civil Rights (OCR) initiated an investigation that determined Respondent, as a covered entity pursuant to 45 C.F.R. § 160.103, violated the Privacy Rule (45 C.F.R. pts. 160, 164, subpts. A, E) under the Health Insurance Portability and Accountability Act of

Page 2

1996 (HIPAA) by failing to provide timely access to the designated record set3  as required by 45 C.F.R. § 164.524(b)(2).  OCR determined Respondent violated the Privacy Rule at the penalty tier of willful neglect (a conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated).  OCR determined the violation began on August 26, 2019, and continued through March 29, 2022, the date of the Notice of Proposed Determination (NPD).  OCR calculated the total civil monetary penalty (CMP) for which Respondent was liable, at $7,676,692, but proposed a reduced CMP of $70,000 based on its evaluation of the factors listed in 45 C.F.R. § 160.408.  Respondent, through counsel, filed a timely hearing request challenging OCR’s determination and proposed CMP. 

For the reasons stated below, I uphold OCR’s determination that Respondent committed the aforementioned violation of 45 C.F.R. § 164.524(b)(2), that the violation occurred at the willful neglect tier, and that the violation occurred from August 26, 2019, through March 29, 2022.  Based on an evaluation of the factors listed at 45 C.F.R. § 160.408, I conclude a CMP of $70,000 is justified. 

I.    Background and Procedural History

On August 2, 2019, the AP, a patient of Respondent, filed a HIPAA complaint with OCR alleging that Respondent failed to provide AP with access to her and her children’s dental records despite three requests.  See OCR Ex. 5.  On September 5, 2019, OCR initiated an investigation into the alleged violation.  OCR Ex. 6.  Upon completion of its investigation, OCR issued an NPD to Respondent on March 29, 2022, in which it determined that Respondent violated 45 C.F.R. § 164.524(b)(2) by failing to provide AP access to medical records and proposed a CMP of $70,000 against Respondent.  DAB E-File docket entry No. 1a (NPD) at 1, 6, 9.4   OCR determined that Respondent was subject to a CMP because it did not provide the complainant with the records in a timely manner in violation of 45 C.F.R. § 164.524(b)(2), and the violation was at the willful neglect level for 1,028 days from August 26, 2019, through March 29, 2022.  NPD at 6-7.  OCR proposed a daily CMP amount of $63,973.  NPD at 8.  OCR explained that because Respondent “is a solo practitioner dental provider that serves an urban and suburban

Page 3

community[,] . . . [t]he imposition of the maximum CMP5  would likely impact the ability of Gums Dental to provide dental care to its service area.”  NPD at 8.  “Additionally, given the potential impact of the COVID-19 public health emergency on [Respondent] . . . . ,” OCR proposed a reduced CMP of $70,000.  NPD at 8.  Finally, OCR determined there was no basis for waiver of the proposed CMP.  NPD at 8. 

By letter dated May 31, 2022, Respondent’s counsel submitted a request for an administrative law judge (ALJ) hearing, which was received by the Civil Remedies Division on August 25, 2022.  DAB E-File docket entry No. 1 (Request for Hearing (RFH)).  The RFH concedes that Respondent is a covered entity and is required to comply with the requirements of the Privacy, Security and Breach Notification Rules.  RFH at 1 ¶ 1 (admitting the findings of fact in DAB E-File docket entry No. 1a at 2-3 ¶ 1 (NPD at 2-3 ¶ 1)).  The RFH contended Respondent did not receive some of the letters from OCR, did not refuse to produce the records, and that Respondent attempted to obtain an updated address from the AP to mail hard copies of the records because Respondent did not feel comfortable emailing them to the AP.  RFH at 2-3 ¶¶ 4, 6-9, 14-15, 18, 20-28.  The RFH did not address the proposed CMP, but requested a hearing on the matter concerning the March 29, 2022 NPD.  See RFH. 

Page 4

The Civil Remedies Division assigned this case to a different ALJ and issued the ALJ’s standing pre-hearing order (PHO) on August 29, 2022.  On September 19, 2022, the prior ALJ held a pre-hearing conference, after which an Order Summarizing Pre-Hearing Conference (Summary Order) was issued.  The Summary Order set a schedule for both discovery and the filing of pre-hearing exchanges.  Summary Order at 1-2. 

On January 3, 2023, OCR filed a motion to compel Respondent’s discovery responses.  On January 19, 2023, the prior ALJ issued an order directing Respondent to produce discovery and extending the pre-hearing exchange deadlines.  On February 13, 2023, this case was reassigned to me. 

On March 7, 2023, OCR filed a renewed motion to compel Respondent’s discovery responses.  On March 7, 2023, I issued an order directing Respondent to respond to the renewed motion to compel and to show cause for failure to comply with the January 19, 2023, order directing Respondent to produce discovery.  On March 17, 2023, Respondent filed an opposition to OCR’s motion to compel discovery responses and a response to the order to show cause.  On March 21, 2023, OCR filed a motion to extend the pre-hearing exchange deadlines.  On March 23, 2023, I issued an order denying OCR’s renewed motion to compel and discharging the March 7, 2023, order to show cause.  On April 3, 2023, after OCR supplemented its motion to extend the pre-hearing exchange deadlines, I issued an order granting OCR’s motion for extension and amending the pre-hearing exchange deadlines. 

OCR filed its pre-hearing exchange, including a combined motion for summary judgment and pre-hearing brief (OCR Br.) and 21 proposed exhibits (OCR Exs. 1-21), on June 2, 2023.  Respondent filed its pre-hearing exchange, including an opposition to OCR’s motion for summary judgment and pre-hearing brief (R. Br.) and 11 proposed exhibits, on July 7, 2023.  Neither party proposed any witnesses or submitted any written direct witness testimony. 

On July 10, 2023, I rejected Respondent’s exhibits as duplicative of OCR’s exhibits and directed Respondent to file a key which cross-references the exhibits cited in Respondent’s Pre-Hearing Exchange and Opposition to Motion for Summary Judgment brief, using OCR’s exhibit numbers.  On July 11, 2023, OCR filed a request to extend its deadline to file a reply to Respondent’s pre-hearing exchange, which I granted. 

On July 19, 2023, Respondent filed a key for exhibits previously submitted by OCR, and filed a new proposed exhibit 11 (R. Ex. 11).  On August 2, 2023, OCR filed a reply brief (OCR Reply). 

Absent objections to the proposed exhibits, I admit OCR Exs. 1-21 and R. Ex. 11 into the administrative record.  See PHO at ¶¶ 5(h) (“Respondent will also state any objections to

Page 5

OCR’s exhibits and whether it wants to cross-examine any of the witnesses for whom OCR submitted written direct testimony.”); 5(i) (“OCR will also state any objections to Respondent’s exhibits and whether it wants to cross-examine any of the witnesses for whom Respondent submitted written direct testimony.”). 

The evidentiary record is closed.  Neither pre-hearing exchange included any written direct testimony or proposed witnesses.  As a result, an in-person hearing is unnecessary.  See PHO at ¶¶ 9 (“With the exception of proposed expert witness testimony (45 C.F.R. § 160.538(b)), it will be unnecessary to conduct a live hearing in this case unless a party files admissible, written direct testimony, and the opposing party asks to cross-examine one or more witnesses.”); 10 (“An in-person hearing will be necessary only if a party files admissible, written direct testimony, and the opposing party asks to cross-examine the witness(es).”).  I will decide this case on the merits.6  

II.    Issues

  1. Whether Respondent violated 45 C.F.R. § 164.524(b)(2) from August 26, 2019, through March 29, 2022, and if so, whether the violation occurred at the willful neglect penalty tier.  
  2. Whether a $70,000 CMP is justified.  

III.    Jurisdiction

I have jurisdiction to decide this case.  45 C.F.R. § 160.504. 

IV.    Findings of Fact

On April 5, 2019, the AP requested access to her children’s protected health information (PHI).  OCR Ex. 2 at 1.  On April 8, 2019, Respondent emailed the AP the number of times each of the AP’s children had visited the office from 2016 to 2019.  See OCR Ex. 1.  The AP replied and requested that Respondent send her the specific dates her children were treated by Respondent.  Id.  The AP filed a HIPAA complaint with OCR on May 1, 2019, alleging that Respondent failed to provide her with the requested information.  See OCR Ex. 2.  OCR closed the case on May 7, 2019, by issuing a letter to Respondent, which provided technical assistance in the form of a review of Respondent’s obligations under the Privacy Rule, and a reminder to Respondent of the requirement to timely act on an individual’s right of access request.  See OCR Ex. 3. 

Page 6

On June 26, 2019, the AP made a second request to Respondent via email for copies of her and her children’s dental records.  See OCR Exs. 4, 11 at 6.  In her email request, the AP provided her mailing address and said she would alternatively accept the records via email.  Id.  When she did not receive the records, the AP filed a second complaint with OCR on August 2, 2019.  See OCR Ex. 5.  On August 26, 2019, the AP made a third request via email to Respondent for copies of her and her children’s dental records.  See OCR Ex. 11 at 7.  Respondent did not respond to this request. 

On September 5, 2019, OCR notified Respondent in writing that it was initiating an investigation of the August 2, 2019, complaint and issued a data request letter, requesting a response within 30 days.  See OCR Ex. 6; NPD at 3-4 ¶ 10; RFH at 2 ¶ 10.  Respondent did not respond to the data request letter.  See NPD at 4 ¶ 12; RFH at 2 ¶ 12.  OCR followed up with Respondent’s failure to respond to the data request, by leaving a voicemail on October 8, 2019.  See NPD at 4 ¶ 13; RFH at 2 ¶ 13.  On October 31, 2019, OCR spoke with Dr. Gumbs and reminded her that Respondent had neither responded to OCR’s data request nor provided the AP with the requested records.  See NPD at 4 ¶ 13; RFH at 2 ¶ 13; OCR Ex. 7.  Respondent advised OCR that she did not intend to provide the AP with the requested records.  OCR Ex. 7. 

On November 7, 2019, after not receiving a response to its data request, OCR sent another copy of its data request via certified mail.  See NPD at 4 ¶ 14; RFH at 2 ¶ 14; OCR Exs. 8, 9.  Respondent did not respond to this data request.  See NPD at 4 ¶ 15; RFH at 3 ¶ 15. 

On October 1, 2020, OCR sent Respondent a letter notifying it that OCR had determined, based on its investigation, that Respondent violated the Privacy Rule.  OCR offered Respondent a proposed resolution agreement and corrective action plan (RA/CAP) to informally resolve the violation.  See OCR Ex. 10; NPD at 4 ¶ 19; RFH at 3 ¶ 19.  On October 22, 2020, Dr. Gumbs responded to OCR’s letter containing the proposed RA/CAP.  See OCR Ex. 11 at 2; NPD at 4-5 ¶ 20; RFH at 3 ¶ 20.  In that response, she asserted that the AP refused to pay a $25 fee to have the records copied and mailed “securely” to the AP.  OCR Ex. 11 at 2.  Respondent did not agree to the proposed RA/CAP, nor did anyone for Respondent attempt to negotiate the RA/CAP. 

On November 9, 2020, Dr. Gumbs wrote to OCR stating that she believed the AP was planning to use the requested records to commit insurance fraud.  See OCR Ex. 12; NPD at 5 ¶ 22; RFH at 3 ¶ 22.  Dr. Gumbs further stated that Respondent was requiring AP to pay a “$25 administrative fee . . . to forward all of the records to her securely” and that she believed the AP had filed a false claim.  OCR Ex. 12. 

On December 8, 2020, OCR issued a Letter of Opportunity (LOO) informing Respondent that OCR’s investigation found a preliminary indication of noncompliance with the HIPAA Privacy Rule’s right of access provisions.  See OCR Ex. 13; NPD at 5 ¶ 24; RFH

Page 7

at 3 ¶ 24.  OCR gave Respondent an opportunity to submit written evidence of any mitigating factors for OCR to consider in determining a CMP under 45 C.F.R. § 160.408, affirmative defenses under 45 C.F.R. § 160.410, or written evidence to support a waiver of a CMP under 45 C.F.R. § 160.412.  OCR Ex. 13.  The LOO was delivered to Respondent via certified mail on December 24, 2020, and was also sent via email on December 9, 2020.  See OCR Exs. 13, 14, 15; NPD at 5-6 ¶ 25; RFH at 3 ¶ 25. 

On January 4, 2021, Dr. Gumbs confirmed she had received the LOO.  See OCR Ex. 16; NPD at 6 ¶ 26; RFH at 3 ¶ 26.  In the letter, Dr. Gumbs reiterated the insurance fraud allegation articulated in her November 9th letter.  OCR Ex. 16 at 1.  Dr. Gumbs further stated that even though OCR advised her that was not a permissible reason to deny a request for PHI, Dr. Gumbs “did not agree with that.”  Id.  Dr. Gumbs wrote that if patients “request their information correctly it is given to them promptly.  At the same time, we will not agree to provide information that we are told is going to be used inappropriately.”  Id. at 2.  Dr. Gumbs further asserted that the AP requested the records be emailed but that she would not send the AP the records by email because Respondent did not have a “secure website where patients can access their records securely.”  Id.  Dr. Gumbs concluded that the AP could “call and make arrangements to pick up her records and the records of her minor children or she can send Twenty five [sic] dollars ($25.00) and an updated address and we will send them via Certified Mail or Fedex.”  Id.  

As a health care provider who transmits health information in electronic form, Respondent was a “covered entity” as defined by 45 C.F.R. § 160.103.  As a covered entity, 45 C.F.R. § 164.524(b)(2)(i) required Respondent to act on a request for access no later than 30 days after receipt of the request. 

The AP requested a copy of her and her children’s records on June 26, 2019.  OCR Ex. 4.  Respondent did not provide the requested records until May 17, 2022, when it made the records available via Dropbox.  OCR Ex. 19. 

V.    Analysis and Conclusions of Law

  1. The HIPAA Privacy Rule requires covered entities to give individuals access to their PHI.

HIPAA, Pub. L. No. 104-191, 110 Stat. 1936 (1996), was enacted on August 21, 1996.7   Title II of HIPAA establishes Administrative Simplification rules for improving the

Page 8

efficiency and effectiveness of the health care system by creating privacy rights and protections for using, disclosing, and safeguarding PHI.8   HIPAA §§ 261, 264.  Pursuant to HIPAA, the Secretary of Health and Human Services (Secretary) promulgated several regulations known as the Privacy Rule (45 C.F.R. pts. 160, 164, subpts. A, E), Security Rule (45 C.F.R. pts. 160, 164, subpts. A, C), Breach Notification Rule (45 C.F.R. pt. 164, subpt. D), and Enforcement Rule (45 C.F.R. pts. 160, 164, subpts. C, D, E).  The Privacy Rule establishes standards for the permitted use and disclosure of PHI, including an individual’s right to access one’s PHI.  The Security Rule establishes standards for the administrative, physical, and technical security of electronic PHI.  The Enforcement Rule establishes procedures for the investigation of HIPAA complaints, administrative adjudication of violations, and imposition of CMPs for HIPAA violations.  OCR has enforcement authority over the HIPAA rules.  65 Fed. Reg. 82,239, 82,381 (Office for Civil Rights; Statement of Delegation of Authority) (Dec. 28, 2000). 

As relevant here, 45 C.F.R. § 164.524(a)(1) of the Privacy Rule establishes, with limited exceptions, that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set . . .”  See also 45 C.F.R. § 164.524(c)(1).  Moreover, the “covered entity must act on a request for access no later than 30 days after receipt of the request.”  45 C.F.R. § 164.524(b)(2)(i).  The covered entity must provide “the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; . . . and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual.”  45 C.F.R. § 164.524(c)(2)(i)-(ii).  If the individual agrees, the covered entity may provide a summary of the PHI in lieu of providing access to the PHI.  45 C.F.R. § 164.524(c)(2)(iii).  Finally, a “covered entity may impose a reasonable, cost-based fee . . .,” including the cost of labor for copying, supplies, postage, or preparing a summary in lieu of access to PHI.  45 C.F.R. § 164.524(c)(4).  

Page 9

Under the HIPAA regulatory scheme, any person who believes a “covered entity”9  or its “business associate”10  is not in compliance with HIPAA rules may file a complaint with OCR.  45 C.F.R. § 160.306(a).  OCR will investigate a complaint if it meets filing requirements and, upon preliminary review, indicates that a possible violation has occurred due to willful neglect.  45 C.F.R. § 160.306(b), (c)(1).  If OCR declines to investigate the HIPAA complaint, it will notify the person who filed the complaint (called a “complainant”) and close the case. 

If OCR decides to investigate the complaint, the covered entity or business associate must cooperate with OCR by providing records, reports, and access to its premises for OCR to determine whether it is complying with the HIPAA rules.  45 C.F.R. § 160.310.  At the conclusion of the investigation, OCR will determine if a HIPAA violation occurred and whether further action is warranted.  If OCR finds no violation and determines that no further action is warranted, it will notify the covered entity or business associate and the complainant.  45 C.F.R. § 160.312(b).  If OCR finds a violation, it may resolve the matter informally, which may include a corrective action plan or other informal agreement with the covered entity or business associate, or through a formal enforcement action, which may include the imposition of a CMP.  45 C.F.R. § 160.312(a).  If OCR decides to impose a CMP, it will inform the covered entity or business associate in a notice of proposed determination, which will explain the basis for the CMP and Respondent’s right to request an ALJ hearing.  45 C.F.R. §§ 160.312(a)(3)(ii), 160.420(a).

In a hearing before the ALJ to contest the determination of a violation and the imposition of a CMP, Respondent has the burden of persuasion regarding affirmative defenses, challenges to the CMP amount, any mitigating factors, any waiver arguments, and compliance with the HIPAA Breach Notification Rule.  45 C.F.R. § 160.534(b)(1).  OCR has the burden of persuasion with respect to the remaining issues, including issues of liability and the existence of any factors considered aggravating factors in determining the amount of the CMP.  45 C.F.R. § 160.534(b)(2).  The ALJ must issue a decision based only on the record and may affirm, increase, or reduce the penalties imposed by OCR.  45 C.F.R. § 160.546. 

Page 10

  1. Respondent violated 45 C.F.R. § 164.524(b)(2) when it failed to timely act on the AP’s request for her and her children’s PHI. 

In its NPD, OCR determined that Respondent violated 45 C.F.R. § 164.524(b)(2) beginning on August 26, 2019, which was 60 days after the AP requested a copy of her and her children’s records (OCR Ex. 4) and the date of the AP’s third request for copies of her and her children’s dental records (OCR Ex. 11 at 7).  NPD at 6-7. 

Pursuant to 45 C.F.R. § 164.524(b)(2)(i), a covered entity “must act on a request for access no later than 30 days after receipt of the request” as listed below:  

(A) If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested . . . .

(B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial . . . .

The time period for taking action on a request for access to PHI may be extended once, for up to 30 additional days, provided that the covered entity notifies the individual in writing and provides the reasons for the delay and the date when it will complete its action on the access request.  45 C.F.R. § 164.524(b)(2)(ii).  An individual or an individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) has the right to access the individual’s PHI, maintained by a covered entity in a designated record set, for as long as the PHI is maintained in the designated record set (e.g., medical or billing records).  45 C.F.R. §§ 164.502(g) and 164.524(a)(1). 

The evidence of record establishes that Respondent did not act timely on the AP’s request to access PHI.  The AP requested a copy of her and her children’s treatment records on June 26, 2019.  OCR Ex. 4.  In her email request, the AP provided her mailing address and said she would accept the records via email.  Id.  It is undisputed that Respondent is a covered entity required to comply with the right of access provisions of the Privacy Rule.  RFH at 1 ¶ 1 (Respondent admitting that it is a covered entity and required to comply with the Privacy Rule, among others).  It is also undisputed that Respondent did not provide the requested documents or a written denial to the AP within 30 days of receiving her request, i.e., by July 26, 2019.  When she did not receive the records, the AP filed a complaint with OCR on August 2, 2019.  OCR Ex. 5.  On August 26, 2019, the AP made another written request via email to Respondent for copies of her and her children’s dental records.  See OCR Ex. 11 at 7.  Respondent did not respond to this request.  Respondent has not argued that it was entitled to an extension under 45 C.F.R.

Page 11

§ 164.524(b)(2)(ii) and has not submitted any evidence that it notified the AP of a permissible delay in responding to her access request. 

OCR notified Respondent that it was investigating the AP’s complaint regarding her and her children’s treatment records in writing on September 5, 2019 (OCR Ex. 6); by voicemail on October 8, 2019 (NPD at 4 ¶ 13; RFH at 2 ¶ 13); by telephone on October 31, 2019 (Id.; OCR Ex. 7); in writing via certified mail on November 7, 2019 (OCR Exs. 8, 9; NPD at 4 ¶ 14; RFH at 2 ¶ 14); in writing on October 1, 2020 (OCR Ex. 10; NPD at 4 ¶ 19; RFH at 3 ¶ 19); and in writing on December 8, 2020 (OCR Exs. 13, 14, 15; NPD at 5 ¶ 24; RFH at 3 ¶ 24).  Between the letters, voicemail, telephone call, proposed RA/CAP, and LOO from OCR, Respondent did not provide the AP with copies of the requested records or issue a denial to permit the AP to seek further review.  Through Dr. Gumbs, Respondent either did not respond to OCR’s communications, advised OCR that Respondent did not intend to provide the AP with the requested records (OCR Ex. 7), or conceded that Respondent had not provided the AP with the requested the records (OCR Exs. 11, 12, 16).  Even after being advised that OCR’s investigation found a preliminary indication of noncompliance with the Privacy Rule (OCR Ex. 13), Respondent still refused to send the AP’s records to the requested email or to send mailed copies of the records until the AP made additional arrangements (OCR Ex. 16).  Respondent did not provide the AP with the requested treatment records until May 17, 2022, when it made the records available via Dropbox (OCR Ex. 19).  This was nearly three years after the AP’s June 26, 2019, request and nearly two months after OCR issued its March 29, 2022, NPD imposing a CMP and finding Respondent willfully neglected the Privacy Rule’s requirements. 

Respondent argues that it did not refuse access to the records.  Rather, it contends that Dr. Gumbs called the AP in order to determine the best way to the get the records to the AP and to inform the AP that a $25 fee was required, but the AP did not respond and simply failed to take the necessary action (e.g., pay the requested $25 fee and pick up the records or provide an updated address for Respondent to mail the records).11   R. Br. at 2-4.  Respondent did not provide any legal support for its argument that, after submitting a

Page 12

written request for treatment records, the burden was on the AP to ensure Respondent provided the requested access.  Similarly, Respondent did not provide any legal authority that the Departmental Appeals Board has recognized lack of patient follow-through as a defense to a covered entity’s obligations to provide access to the treatment records.  Respondent also failed to provide any credible evidence that it timely granted the AP’s request.  It did not submit any correspondence, telephone logs, invoices, or other documents to corroborate its claim that it attempted to communicate with the AP or otherwise responded to the AP’s June 26, 2019, records request within 30 days.  Indeed, Respondent admits that it did not provide the AP with the requested treatment records until May 17, 2022.  R. Br. at 4. 

Based on the evidence of record, I conclude that Respondent violated 45 C.F.R. § 164.524(b)(2) when it failed to act within 30 days on the AP’s request for access to her and her children’s PHI. 

  1. Respondent’s violation of 45 C.F.R. § 164.524(b)(2) occurred from August 26, 2019, through March 29, 2022, at the willful neglect tier.

“Willful Neglect” is the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”  45 C.F.R. § 160.401.  In assessing the level of Respondent’s culpability, OCR determined that Respondent acted with willful neglect in violating 45 C.F.R. § 164.524(b)(2) from August 26, 2019, through March 29, 2022.  NPD at 7-9.  I agree. 

The facts and circumstances in the record establish willful neglect.  The AP previously requested the frequency of visits for her children on April 5, 2019.  OCR Ex. 2 at 1.  On April 8, 2019, Respondent emailed the AP the number of times each of the AP’s children had visited the office from 2016 to 2019.  See OCR Ex 1.  The AP replied and requested that Respondent send her the specific dates her children were treated by Respondent.  Id.; OCR Ex. 16 at 1.  When Respondent failed to provide the requested information, the AP filed a HIPAA complaint with OCR on May 1, 2019.  See OCR Ex. 2.  On May 7, 2019, OCR sent Respondent a technical assistance letter which specifically informed Respondent of its obligation to comply with 45 C.F.R. § 164.524, including the requirement to act on a request for access no later than 30 days after receipt of the request and no later than 60 days in certain circumstances.  OCR Ex. 3 at 1-2.  The technical assistance letter also informed Respondent of the permissible cost-based fee calculations.  Id. at 2-3. 

Despite receiving technical assistance from OCR and multiple requests from the AP12 , Respondent failed to provide the AP access over a protracted period of time – from AP’s

Page 13

request on June 26, 2019, until the records were sent via Dropbox on May 17, 2022.  OCR Exs. 4, 19.  Based on the AP’s August 2, 2019, complaint, OCR initiated a formal investigation of the AP’s records request.  On September 5, 2019, OCR notified Respondent in writing of the investigation and issued a data request letter, requesting a response within 30 days.  OCR Ex. 6.  OCR followed up with Respondent’s failure to respond to the data request, by leaving a voicemail on October 8, 2019, and sending certified letter dated November 7, 2019.  NPD at 4 ¶ 14; OCR Ex. 8.  Not only did Respondent fail to initially cooperate with the investigation and respond to the data request, as required by 45 C.F.R. § 160.310(b), but it also failed to provide the treatment records to the AP. 

Moreover, the evidence of record shows that Respondent, through Dr. Gumbs, actively refused to provide the requested records.  During an October 31, 2019, telephone call, the OCR investigator asked Dr. Gumbs whether she had provided the requested records to the AP, and Dr. Gumbs responded that she “was sick of [the AP] and that she was not going to do anything.”  OCR Ex. 7.  On October 1, 2020, OCR sent Respondent a letter notifying it that OCR had determined, based on its investigation, that Respondent violated the Privacy Rule.  OCR Ex. 10.  OCR offered Respondent a proposed resolution agreement and corrective action plan (RA/CAP) to informally resolve the violation.  Id.  In an October 22, 2020, letter from Dr. Gumbs, she conceded that the records had not been copied yet to be sent to the AP.  OCR Ex. 11 at 2.  The communication to OCR also indicates that Respondent conditioned access to the treatment records upon receipt of a $25 fee,13  but Respondent failed to provide any corroborating evidence that it communicated that contingency to the AP.  Id.  Respondent did not agree to the proposed RA/CAP, nor did anyone attempt to negotiate the RA/CAP on behalf of Respondent.14   On November 9, 2020, Dr. Gumbs wrote to OCR stating that she believed the AP was planning to use the requested records to commit insurance fraud and any information given to her should not be used to file any claim forms.  See OCR Ex. 12.  Dr. Gumbs further stated that Respondent was requiring AP to pay a “$25 administrative fee . . . to forward all of the records to her securely, which remains unpaid, to date.”  Id

Page 14

On December 8, 2020, OCR issued a Letter of Opportunity (LOO) informing Respondent that OCR’s investigation found a preliminary indication of noncompliance with the HIPAA Privacy Rule’s right of access provisions.  See OCR Ex. 13.  OCR gave Respondent an opportunity to submit written evidence of any mitigating factors for OCR to consider in determining a CMP under 45 C.F.R. § 160.408, affirmative defenses under 45 C.F.R. § 160.410, or written evidence to support a waiver of a CMP pursuant to 45 C.F.R. § 160.412.  Id.  The LOO was delivered to Respondent via certified mail on December 24, 2020, and also was sent via email on December 9, 2020.  OCR Exs. 13, 14, 15. 

In a January 4, 2021, letter from Dr. Gumbs to OCR, Respondent confirmed it had received the LOO and conceded that the records still had not been provided to the AP, stated that it would not provide the requested records because it believed the AP would use them to commit insurance fraud, and it was uncomfortable emailing the records, as the AP requested.  OCR Ex. 16 at 1-2.  Dr. Gumbs further asserted that the AP requested the records be emailed but that Respondent would not send the AP the records by email because Respondent did not have a “secure website where patients can access their records securely.”  Id. at 2.  Dr. Gumbs wrote that if a patient “request[s] their information correctly it is given to them promptly.  At the same time, we will not agree to provide information that we are told is going to be use inappropriately.”  Id. at 2.  Dr. Gumbs further stated that even though OCR informed her that this was not a permissible reason to deny a request for PHI, Dr. Gumbs “did not agree with that.”  Id. at 1.  Although Dr. Gumbs indicated that it sent the AP a letter by certified mail in October 2020, which was not delivered as “Addressee Unknown,” she did not suggest that letter enclosed the AP’s requested treatment records or produce a copy of the letter or tracking report to substantiate its claim that it attempted to contact the AP about her request.  Id at 2.  Instead, Dr. Gumbs asked for the AP to call and make arrangements for hard copies of the records after paying the fee.  Id. 

Respondent concedes the AP made the request for the treatment records in June of 2019 via email.  See R. Br. at 7-8; OCR Ex. 4.  Respondent first argues it never received the May 7, 2019, technical assistance letter from OCR.  R. Br. at 3 (citing RFH at ¶¶ 6-7).  However, Respondent then argues that since the AP sent harassing emails, since it was concerned the AP was going to commit insurance fraud, and since OCR had just closed the AP’s initial complaint, OCR should have determined the violation occurred at the reasonable cause or reasonable diligence tier.  R. Br. at 7-8.  Respondent concedes receiving the December 8, 2020, LOO, which was mailed to the same address as the May 7, 2019, technical assistance letter.  R. Br. at 4; compare OCR Ex. 3 with OCR Ex. 13.  Respondent did not provide any evidence that it acted on the AP’s request for access to the PHI within 30 days, or that it qualified for an extension of the 30-day requirement.  To the contrary, Respondent continued to argue impermissible grounds for refusing to provide the AP with the requested records, in violation of 45 C.F.R. § 164.524(b)(2). 

Page 15

Respondent alleges that it advised OCR consistently of its contention that the AP was going to use the records to commit insurance fraud (R. Br. at 7), but does not address why it did not use that as a basis to issue a written denial of the AP’s request within 30 days of receipt.  See generally, R. Br. 

As noted above, Respondent refused to provide access to the AP’s and her children’s PHI until nearly two months after receiving OCR’s NPD, which was nearly three years after the AP’s first request for the records.  Not only did Respondent refuse access to the AP’s and her children’s PHI, but Dr. Gumbs then refused to treat another patient because of their relationship with the AP.  See OCR Exs. 20, 21 (According to notes from OCR’s September 22, 2020, and July 6, 2021, telephone calls with the AP, the AP informed the OCR investigator that Dr. Gumbs refused to schedule an appointment with the AP’s husband due to the AP’s complaint to OCR and the subsequent investigation).  Respondent has not denied this allegation and its actions implicate 45 C.F.R. § 160.316, which prohibits a covered entity from threatening, intimidating, coercing, harassing, discriminating against, or taking any other retaliatory action against any individual or other person for filing a HIPAA complaint or participating in an investigation. 

Through Dr. Gumbs, Respondent demonstrated a conscious, intentional failure, or reckless indifference to its obligation to comply with the administrative simplification provision violated.  45 C.F.R. § 160.401.  OCR advised Respondent of its requirement to comply with the Privacy Rule in May of 2019, after the AP’s first complaint regarding PHI access.  Respondent admits the AP made a written request for the treatment records and provided a mailing address in June of 2019. 

As early as September 5, 2019, Respondent was specifically advised that the failure to provide copies of the treatment records could constitute a violation of 45 C.F.R. § 164.524(c) regarding access to medical records.  OCR Ex. 6 at 1.  Respondent was asked to contact OCR to resolve the AP’s complaint and to remediate any PHI access issues without the need for a formal investigation.  Id. at 2.  Respondent was warned that a finding that it violated the Privacy Rule could result in an enforcement action, including the imposition of CMPs.  Id.  Respondent was reminded on November 7, 2019, of its obligation to follow the Privacy Rule and that OCR was investigating a potential violation of the same.  OCR Ex. 8.  Nearly one year later, on October 1, 2020, OCR advised Respondent that it had determined a violation occurred, offered Respondent a chance to resolve the PHI access issues, and warned Respondent that the full amount of the potential CMP that may be imposed in a formal enforcement action by OCR could be much higher.  OCR Ex. 10.  On December 8, 2020, OCR requested Respondent send evidence of any mitigating factors, affirmative defenses, or a waiver for its consideration in setting a CMP.  OCR Ex. 13.  After several attempts over fifteen months to resolve the violation and/or to negotiate a reduced CMP, OCR issued the NPD on March 29, 2022.  NPD.  On May 17, 2022, after a $70,000 CMP was proposed, Respondent finally provided access to the requested records via Dropbox.  OCR Ex. 19. 

Page 16

Contrary to Respondent’s assertion, this is not a case of “either reasonable cause or reasonable diligence.”  R. Br. at 8.  OCR notified Respondent that it was investigating the AP’s new complaint regarding her and her children’s treatment records in writing on September 5, 2019; by voicemail on October 8, 2019; by telephone on October 31, 2019; in writing via certified mail on November 7, 2019; in writing on October 1, 2020; and in writing on December 8, 2020.  Respondent had direct knowledge that its actions were possibly in violation of the law and had triggered an OCR investigation.  OCR offered multiple opportunities for informal resolution, but Respondent still made no effort to ensure compliance with the HIPAA Privacy Rule.  Respondent never acted on the AP’s written request for access to the treatment records until after receiving the NPD.  Respondent did not even timely deny the AP’s request in writing, so the AP could request further review.  Such conduct amounts to reckless indifference to its obligation to comply with the Privacy Rule.  Thus, the “did not know” or “would not have known” tiers could not have applied here. 

  1. A $70,000 CMP is justified for Respondent’s willful neglect of 45 C.F.R. § 164.524(b)(2).

OCR is authorized to impose a CMP on a covered entity if it determines the covered entity has violated the Privacy Rule.  45 C.F.R. § 160.402.  The amount of a CMP is determined by the covered entity’s level of culpability and the extent and timing of corrective actions, if any, and the CMP is adjusted annually for inflation.  The culpability tiers range from situations where the covered entity “did not know and, by exercising reasonable diligence, would not have known” of the violation, to situations where the violation was due to “reasonable cause and not to willful neglect,” and to situations involving “willful neglect.”  45 C.F.R. § 160.404.  “Reasonable cause” is “an act or omission in which a covered entity . . . knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity . . . did not act with willful neglect.”  45 C.F.R. § 160.401.  “In the case of continuing violation of a provision, a separate violation occurs each day the covered entity . . . is in violation of the provision.”  45 C.F.R. § 160.406. 

For a violation due to willful neglect which was not corrected during the 30-day period beginning on the first date the covered entity knew, or, by exercising reasonable diligence, would have known that the violation occurred, OCR may not impose a CMP less than $63,973 for each violation or in excess of $1,919,173 for identical violations during a calendar year.  45 C.F.R. § 160.404(b)(2)(iv); 45 C.F.R. § 102.3; 87 Fed. Reg. 15,100, 15,109 (March 17, 2022) (2022 inflation-adjusted CMP table). 

Page 17

In determining the amount of a CMP, OCR will consider the following factors:

(a) The nature and extent of the violation, consideration of which may include but is not limited to:

(1) The number of individuals affected; and
(2) The time period during which the violation occurred;

(b) The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to: 

(1) Whether the violation caused physical harm;
(2) Whether the violation resulted in financial harm;
(3) Whether the violation resulted in harm to an individual’s reputation; and
(4) Whether the violation hindered an individual’s ability to obtain health care;

(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity . . . consideration of which may include but is not limited to: 

(1) Whether the current violation is the same or similar to previous indications of noncompliance;
(2) Whether and to what extent the covered entity . . . has attempted to correct previous indications of noncompliance;
(3) How the covered entity . . . has responded to technical assistance from the Secretary provided in the context of a compliance effort; and
(4) How the covered entity . . . has responded to prior complaints;

(d) The financial condition of the covered entity . . . consideration of which may include but is not limited to: 

(1) Whether the covered entity . . . had financial difficulties that affected its ability to comply;
(2) Whether the imposition of a [CMP] would jeopardize the ability of the covered entity . . . to continue to provide, or to pay for, health care; and
(3) The size of the covered entity . . . ; and

(e) Such other matters as justice may require. 

45 C.F.R. § 160.408.  The factors may be considered aggravating or mitigating, as appropriate, and § 160.408 does not specify separate aggravating or mitigating factors.  The University of Texas MD Anderson Cancer Center, DAB No. 2927 at 30 (2019). 

Page 18

OCR may not impose a CMP when a covered entity establishes that the violation is not due to willful neglect and either corrected during the “30-day period beginning on the first date the covered entity . . . liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred;” or corrected during “[s]uch additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.”  45 C.F.R. § 160.410(c).  Finally, for violations that are not due to willful neglect but not corrected within the aforementioned time periods, the OCR may waive the CMP if payment would be excessive relative to the violation.  45 C.F.R. § 160.412. 

  1. OCR appropriately considered the factors listed at 45 C.F.R. § 160.408 in proposing a $70,000 CMP. 

As discussed above, the evidence demonstrates that, from August 26, 2019, through March 29, 2022, Respondent violated the Privacy Rule due to willful neglect.  The violation was not corrected within 30 days of when Respondent knew or, by exercising reasonable diligence, would have known that the violation occurred.  Accordingly, OCR has a basis to impose a minimum CMP of $63,973 up to a maximum CMP of $1,919,173 for each violation, with a $1,919,173 calendar year cap.15   45 C.F.R. § 160.404(b)(iv)(A)-(B); 45 C.F.R. § 102.3. 

In determining the amount of the CMP, OCR found that the factors listed in 45 C.F.R. § 160.408(a)-(c) weighed against Respondent and were aggravating.  In considering the nature and extent of the violation, OCR determined Respondent failed to comply with the AP’s multiple requests for access to her and her children’s PHI, Respondent failed to remedy the potential violation even after multiple technical assistance and data request letters, and the violation occurred for over two years.  NPD at 7-8; 45 C.F.R. § 160.408(a).  In considering the nature and extent of the harm resulting from the violation, OCR determined Respondent denied the AP’s family access to dental care as a result of the investigation of the violation and that the AP could not seek insurance reimbursement for the services provided by Dr. Gumbs because of Respondent’s refusal to provide the records.  NPD at 7-8; 45 C.F.R. § 160.408(b).  In considering Respondent’s history of compliance, OCR determined that Respondent ignored OCR’s May 7, 2019, technical assistance letter and the September 5 and November 7, 2019, data requests attempting to resolve the AP’s complaint allegations.  NPD at 8; 45 C.F.R. § 160.408(c).  OCR acknowledged that it has not received any other complaints against or breaches reported by Respondent.  Id. 

Respondent argues that the proposed CMP is not supported because there is no evidence of physical or financial harm, injury to the AP’s reputation, or an impediment to the AP’s

Page 19

ability to obtain health care, and because this is OCR’s first and only investigation of Respondent.  R. Br. at 8-10.  Respondent argues the violation resulted in no real appreciable harm.  R. Br. at 10.  Respondent is correct that there is no evidence of repeated violations or past noncompliance, given this is only a single, lengthy violation.  However, the 45 C.F.R. § 160.408(a)-(c) factors are aggravating here, not mitigating.  The AP filed her first complaint about PHI access against Respondent in May of 2019, to which OCR provided technical assistance in the form of a review of Respondent’s obligations under the Privacy Rule and a reminder to Respondent of the requirement to timely act on an individual’s right of access request.  See OCR Ex. 3.  Five individuals were adversely affected by this violation, which began just weeks after the AP’s first complaint.  The AP and her three children were denied access to their PHI and were unable to seek insurance reimbursement because they did not have copies of their treatment records.  The AP’s husband was denied access to dental care when Dr. Gumbs refused to treat him due to his relation to the AP and the OCR investigation of her complaint.  The AP also advised OCR that, as of July 2021, she and her children had not received dental care and were still searching for a new provider.  OCR Ex. 21.  The violation persisted for a lengthy period of time, which is demonstrated by OCR’s calculation of a sizeable daily CMP – $63,973 – capped at $1,919,713 annually.16   NPD at 8.  As discussed above, between the letters, voicemail, telephone call, proposed RA/CAP, and LOO, Respondent did not provide the AP with copies of the requested records or issue a denial of the request to allow the AP to seek further review.  Through Dr. Gumbs, Respondent either did not respond to OCR’s communications, advised OCR that Respondent did not intend to provide the AP with the requested records (OCR Ex. 7), or conceded that Respondent had not provided the AP with the requested the records (OCR Exs. 11, 12, 16).  Even after being advised that OCR’s investigation found a preliminary indication of noncompliance with the Privacy Rule (OCR Ex. 13), Respondent still refused to send the AP’s records to the requested email or to send mailed copies of the records until the AP made additional arrangements (OCR Ex. 16).  Respondent did not provide the AP with the requested treatment records until May 17, 2022, when it made the records available via Dropbox (OCR Ex. 19), nearly two months after OCR issued its NPD imposing a CMP and finding Respondent willfully neglected the Privacy Rule’s requirements. 

In determining the amount of the CMP, OCR found the 45 C.F.R. § 160.408(d) factor mitigating, and proposed a reduced CMP.  As discussed further in subsection V(4)(b) below, Respondent failed to cooperate with OCR’s investigation or to provide OCR with any financial information, affirmative defenses, or mitigating factors to consider in calculating a reduced CMP.  NPD at 8; 45 C.F.R. § 160.408(d)-(e); OCR Reply at 4-5.  However, from publicly available information, OCR determined Respondent is a solo practitioner dental provider serving an urban and suburban community and the imposition

Page 20

of the maximum CMP – $7,676,69217  – would likely impact Respondent’s ability to provide dental care to its service area.  Id.  OCR determined that the potential impact of the COVID-19 public health emergency on Respondent also warranted a reduced CMP.  Id.  In light of three aggravating factors and one mitigating factor, OCR determined that a reduced CMP of $70,000 was justified.  Id. 

Respondent argues even the $70,000 reduced CMP would result in Respondent’s forced closure.  R. Br. at 10-11.  In this proceeding, Respondent offered profit and loss statements, balance sheets, statements of cash flows, and individual tax returns for the past couple of years in an effort to support its financial hardship argument.  See R. Ex. 11.  However, Respondent failed to explain how these documents demonstrated financial hardship.  See generally, R. Br. at 10-11.  Moreover, Respondent had several opportunities to provide evidence of its financial condition, and instead offered these documents for the first time in July of 2023, two years and nearly seven months after OCR’s December 8, 2020, request for evidence supporting mitigating factors.  Compare R. Ex. 11 with OCR Ex. 13. 

Nevertheless, the documents provided with Respondent’s exchange do not support a further reduction of the CMP.  For example, Respondent submitted January-December 2021, January-December 2022, January-February 2023, and May 2023 Profit and Loss statements.  R. Ex. 11 at 1-4, 9-10.  These documents show a net income indicating Respondent has a profitable business and the required funds to pay the proposed $70,000 CMP.18   Respondent also argues that approximately 86% of Respondent’s patients are Medicaid recipients, the practice has not funded employee retirement accounts in 2023, did not pay Dr. Gumbs salary in May 2023 in order to cover estimated taxes, and has limited insurance coverage for defense costs and payment of the CMP.  R. Br. at 1-2, 10-11.  Yet, Respondent did not provide evidence substantiating these claims or explain how the existing financial documents in R. Ex. 11 corroborated these claims.  Therefore, I accord these arguments little weight.  Moreover, I note that the proposed $70,000 CMP is on the lower side of the CMP’s potential range of $63,973 to $1,919,173 for calendar year 2022.  45 C.F.R. § 160.404(b)(iv)(A)-(B); 45 C.F.R. § 102.3. 

Furthermore, there is no evidence in the record showing that Respondent’s financial condition impacted its ability to comply with the Privacy Rule and to provide the AP with access to her and her children’s treatment records.  Next, OCR already considered Respondent’s status as a solo practitioner dental provider, the population Respondent treats, and the anticipated impact of the COVID-19 public health emergency.  NPD at 8. 

Page 21

Respondent refused to provide copies of the requested treatment records or deny the request, and instead chose to willfully neglect the Privacy Rule, incurring a $63,973 daily penalty.  OCR considered the potential financial impact on Respondent if it had proposed the maximum proposed CMP, and instead reduced the CMP by over 90 percent.  A 90 percent reduction of a proposed CMP that was already capped by an annual maximum is a significant reduction.  Further, Respondent’s financial documents indicate Respondent is still turning a profit.  See R. Ex. 11.  Respondent’s disregard of OCR’s technical guidance regarding the AP’s complaint and request for cooperation with its investigation over a considerable period of time supports the imposition of a significant CMP of $70,000. 

  1. There are no applicable affirmative defenses or additional mitigating factors

As discussed above, Respondent argues the violation was not due to willful neglect.  R. Br. at 7-8.  Respondent argues that absent a showing of willful neglect, OCR may not impose a CMP.  R. Br. at 5.  Respondent’s two reasons for failing to provide the Complainant with the requested PHI (Respondent’s lack of a secure website to access the records and Respondent suspecting the Complainant was going to use the records to commit insurance fraud) are not recognized grounds to deny a request for PHI under 45 C.F.R. § 164.524(a)(2), (3) or recognized affirmative defenses under 45 C.F.R. § 160.410.  Respondent alleges it attempted to send the AP a copy of the records via certified mail, but that it received an “Addressee Unknown” response.  R. Br. at 4 n.2, 7, 8.  However, Dr. Gumbs only indicated Respondent sent the AP a letter by certified mail, not that Respondent tried to send a copy of the records.  See OCR Ex. 16.  Respondent also alleges it offered the AP an opportunity to pick up a copy of the records or to mail her a copy after the AP paid $25.  R. Br. at 3.  However, this offer is not substantiated by any corroborating evidence.  Dr. Gumbs mentions the offer in her January 2021 letter and says it was made 14 months prior (see OCR Ex. 16 at 2), but provided no proof by way of an email, letter, or call log showing that it was actually offered to the AP or when it was offered.  Thus, it does not rebut OCR’s willful neglect finding or serve as a basis for finding that the violation was corrected within 30 days or an appropriate additional period of time.  45 C.F.R. § 160.410(c)(1)-(2). 

Likewise, the unsubstantiated offer does not mitigate the nature and extent of the violation when determining the appropriate penalty amount.  45 C.F.R. § 160.408(a)(2).  Dr. Gumbs’ unsupported claim that she offered the records for pick-up on or about November 2019 is insufficient to establish that the violation was corrected before May 2022, when the records were transmitted via Dropbox, or to reduce the prolonged period of noncompliance. 

Page 22

Based on the foregoing discussion, a CMP of $70,000 is justified based on consideration of the factors at 45 C.F.R. § 160.408 and the affirmative defenses at 45 C.F.R. § 160.410 as they apply to the specific facts and circumstances presented in this case. 

  1. Respondent is not eligible for a waiver of the CMP.

OCR may waive a CMP imposed for a violation in certain circumstances, but may not waive CMPs imposed for violations due to willful neglect.  45 C.F.R. § 160.412. 

Respondent’s RFH does not request a waiver and its brief does not address the waiver.  However, OCR correctly determined that there is no basis for waiver of the proposed CMP amount as set forth at 45 C.F.R. § 160.412.  NPD at 8; OCR Br. at 10. 

VI.    Conclusion

I uphold the violation cited under 45 C.F.R. § 164.524(b)(2).  A $70,000 CMP is justified for Respondent’s willful neglect of the Privacy Rule from August 26, 2019, through March 29, 2022. 

Endnotes

1  On April 8, 2019, Respondent initially emailed a response to the AP’s request for her children’s frequency of visits.  On the same date, the AP responded by requesting the specific dates her children were treated by Respondent.  The AP subsequently requested the dental records on June 26, 2019. 

2   Dropbox is a file hosting service operated by Dropbox, Inc., that offers cloud storage, file synchronization, personal cloud, and client software secured by two-factor authentication and file encryption.  See https://www.dropbox.com/features/security (last accessed September 27, 2023). 

3   A designated record set is “[a] group of records maintained by or for a covered entity that is . . . [t]he medical records and billing records about individuals maintained by or for a covered health care provider.”  45 C.F.R. § 164.501. 

4   Neither party filed the NPD as an exhibit.  The NPD is embedded in OCR Ex. 17 as an attachment to the email, but it was not filed with or marked as one of OCR’s exhibits.  Respondent filed a copy of the NPD with its request for hearing (DAB E-File docket entry No. 1a).  I therefore cite to the number in the PDF page counter of DAB E-File docket entry No. 1a

5   OCR calculated the maximum total CMP to be $7,676,692 as follows: 

  1. Calendar Year 2019:  209 days from August 26, 2019, to December 31, 2019 (Maximum potential CMP of $1,919,173). 
  2. Calendar Year 2020:  366 days from January 1, 2020, to December 31, 2020 (Maximum potential CMP of $1,919,173). 
  3. Calendar Year 2021:  365 days from January 1, 2021, to December 31, 2021 (Maximum potential CMP of $1,919,173). 
  4. Calendar Year 2022:  88 days from January 1, 2022, to March 29, 2022 (Maximum potential CMP of $1,919,173). 

NPD at 6-7.  The NPD references Appendix A, which appears to be a CMP Penalty Chart listing the calendar year cap on and the adjusted total of the maximum CMP amount.  However, as discussed in note 4, the Appendix is embedded in OCR Ex. 17 as an attachment to the email and was not filed with or marked as one of OCR’s exhibits. 

The listed calendar year cap of $1,919,173 is accurate for 2022.  87 Fed. Reg. 15,100, 15,109 (March 17, 2022) (inflation-adjusted CMP table).  I note, however, that the calendar year caps for 2019 through 2021 are lower than listed in the NPD.  For 2019, the calendar year cap was $1,754,698 (84 Fed. Reg. 59,549, 59,557 (Nov. 5, 2019)); for 2020, it was $1,785,651 (85 Fed. Reg. 2869, 2878 (January 17, 2020)); and for 2021, it was $1,806,757 (86 Fed. Reg. 62,928, 62,937 (Nov. 15, 2021)).  These amounts total a lower maximum total CMP of $7,266,279. 

6   Although OCR filed a motion for summary judgment, it is unnecessary to rule on this motion. 

7   The Health Information Technology for Economic and Clinical Health (HITECH) Act, Pub. L. No. 111-5, 123 Stat. 115 (2009), which was enacted on February 17, 2009, strengthened certain protections established under HIPAA, to include limiting the fees charged to provide an individual with a copy of electronic medical records.  42 U.S.C. § 17935.  Following enactment of the HITECH Act, the Secretary promulgated rulemaking in January 2013 to implement that legislation.  78 Fed. Reg 5,566 (Jan. 25, 2013). 

8   PHI is individually identifiable health information that is transmitted or maintained electronically or in any other form or medium.  45 C.F.R. § 160.103.

9   A “covered entity” is a health plan, health plan clearinghouse, or health care provider that transmits any electronic health information in connection with a transaction regulated by HIPAA.  45 C.F.R. §§ 160.102(a), 160.103. 

10   A “business associate” includes:  a health information organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI; a person who  offers a personal health record to one or more individuals on behalf of a covered entity; and a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.  45 C.F.R. §§ 160.102(b), 160.103.  

11   The AP provided her name and mailing address in her June 26, 2019, email requesting a copy of the records.  OCR Ex. 4.  If Respondent was uncomfortable emailing the records to the AP, it is unclear why the AP was required to pick up the requested records in person.  Each communication from Respondent to OCR outlining the required fee indicated that the records would not be produced until after the requested fee was paid.  OCR Exs. 11 at 2 (“Gums Dental Care, LLC is asking [the AP] to pay the $25.00 fee so that the dental records requested can be copied . . . .”; “This measure will be taken . . . .”); 16 at 2 (“[The AP] can call and make arrangements to pick up her records . . . .”).  Because the AP did not pay the requested fee, it does not follow that the records were ready and awaiting pickup. 

12   The AP made a written request for copies of her and her three children’s treatment records on June 26, 2019.  OCR Ex. 4.  When Respondent did not provide the requested records, the AP filed another HIPAA complaint on August 2, 2019.  OCR Ex. 5.  The AP renewed her request for the treatment records by email on August 26, 2019, 60 days after her previous written request for the records.  OCR Ex. 11 at 7. 

13   According to OCR, Respondent’s “staff, as well as Dr. Gumbs indicated that the records would be a flat fee of $25 per record, even when emailed and would need to be paid prior to sending the records.”  OCR Ex. 6 at 1.  

14   Neither the proposed RA/CAP nor its terms or conditions are part of the record, as “offers of compromise or settlement are inadmissible to the extent provided in Rule 408 of the Federal Rules of Evidence.”  45 C.F.R. § 160.540(f). 

15   See note 5 for the maximum calendar year caps for 2019-2021.

16   See note 5 above.

17   See note 5 above.

18   In order to protect Respondent’s confidential commercial or financial information, I will not describe the specific amounts shown on the profit and loss statements. 

/s/

Karen R. Robinson Administrative Law Judge