Phoenix Healthcare, LLC d/b/a Green Country Care Center, DAB No. 3105 (2023)

DECISION

Respondent Phoenix Healthcare, LLC, d/b/a Green Country Care Center (GCCC), appeals an Administrative Law Judge’s (ALJ) decision upholding the determination of the Office of Civil Rights (OCR) to impose civil money penalties for violating provisions of HIPAA, the Health Insurance Portability and Accountability Act of 1996, granting patients access to their medical records within set time limits, limiting fees providers may charge for copying the records, and requiring that providers have written agreements with business associates that have access to medical records the provider maintains.  Phoenix Healthcare, LLC d/b/a Green Country Care Ctr., DAB CR6232 (2023) (ALJ Decision). 

The ALJ concluded that Respondent, which owned GCCC, a skilled nursing facility (SNF) in Oklahoma, violated these requirements when it refused for some ten months to provide a former resident’s medical records to the resident’s representative unless they paid a fee in excess of the “reasonable cost” of providing the records.  The ALJ further upheld OCR’s determination that Respondent violated the HIPAA requirement to maintain written agreements with business associates that access medical records, because it had no such agreement with its legal counsel that had the former resident’s records and demanded the excessive fee from the resident’s representative.  The ALJ also found that the $250,000 civil money penalty (CMP) that OCR imposed was not reasonable and imposed a CMP of $75,000 instead.

On appeal, Respondent does not contest the ALJ’s findings that it violated the cited requirements, but argues that its culpability for two of the violations was at a lower level of the multiple levels or tiers of culpability established in HIPAA and its implementing regulations – levels or tiers that control the range of CMPs that may be imposed – than the level that OCR determined and the ALJ upheld (“willful neglect”); Respondent also argues that the CMP the ALJ imposed was unreasonable.

For the reasons explained below, we affirm the ALJ Decision.

Page 2

Legal background

Federal statutes including the HIPAA (Pub. L. No. 104-191, 110 Stat. 1936 (1996)), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (Pub. L. No. 111-5, Div. A, Title XIII, 123 Stat. 115, 226 (2009)), and their implementing regulations, guard “protected health information” (PHI) from unauthorized disclosure; and grant individuals the right to access and obtain copies of their medical records maintained by “covered entities,” including health care providers such as GCCC.  42 U.S.C. § 17935(e); 45 C.F.R. §§ 164.502(e), 164.524(a), (b)(2), (c).  They also require covered entities to provide copies within set time limits (30 days unless records are maintained offsite), in the form requested, and at fees limited to the “reasonable cost-based fee” of copying and mailing (for copies requested by mail), even if state law authorizes higher fees.  45 C.F.R. § 164.524(b)(2), (c)(4); see also 45 C.F.R. Part 160, subpart B (“Preemption of State Law”).  They also require covered entities to have a written contract with any “business associate” that has access to PHI the covered entity maintains, binding them to the HIPAA record protection requirements – in this case, GCCC’s longtime counsel, the Secrest law firm (Secrest), that responded to record requests on GCCC’s behalf and conditioned provision of copies of the records on payment of fees that, though authorized by state law, were in excess of the fees permitted by the federal law and regulations.  Id. §§ 164.502(e), 160.103 (defining “covered entity” and “business associate”). 

The regulations implementing these requirements, at 45 C.F.R. Parts 160 and 164 (subparts A, E), are known as the Privacy Rule.  78 Fed. Reg. 5,566, 5,567 (Jan. 25, 2013); see also ALJ Decision at 2; 45 C.F.R. § 171.202(a)(1).

The statute and regulations direct the Secretary of HHS to impose CMPs on a covered entity or business associate that violates these requirements, with minimum penalties ranging from $100 to $50,000 for each violation.  42 U.S.C. § 1320d‑5; 45 C.F.R. §§ 160.402, 160.404.  They also cap the total amount that may be imposed “for all such violations of an identical requirement or prohibition during a calendar year” at amounts up to $1,500,000.  42 U.S.C. § 1320d-5(a)(3)(D); 45 C.F.R. § 160.404(b).  “In the case of continuing violation of a provision, a separate violation occurs each day the covered entity or business associate is in violation of the provision.”  45 C.F.R. § 160.406.

The statute and regulations provide tiers of per-violation penalty ranges that increase based on the violator’s culpability and the extent and timing of corrective actions, if any.  Culpability ranges include situations where the covered entity “did not know and, by exercising reasonable diligence, would not have known” of the violation, situations in which the violation was due to “reasonable cause and not to willful neglect,” and situations involving “willful neglect.”  45 C.F.R. § 160.404(b)(2).  “Reasonable cause” means “an act or omission in which a covered entity . . . knew, or by exercising reasonable diligence would have known, that the act or omission violated [a Privacy Rule

Page 3

requirement], but in which the covered entity . . . did not act with willful neglect.”  Id. § 160.401. 

“In determining the amount of any civil money penalty,” specific factors that “may be mitigating or aggravating as appropriate” must be considered.  Id. § 160.408.  Those factors, which we address in greater detail later, include the nature and extent of the violation and the resulting harm, and the violator’s compliance history and financial condition.  Id.

To impose a penalty, the Secretary sends the respondent a “notice of proposed determination” that states the legal basis for the penalty and its amount, the findings of fact regarding the violations alleged and why they warrant a penalty, the factors in section 160.408 that were considered in determining the penalty amount, and how to request an ALJ hearing to appeal the penalty.  Id. § 160.420(a).  The ALJ “may affirm, increase, or reduce the penalties imposed by the Secretary.”  Id. § 160.546(b).  The ALJ “[m]ay not find invalid or refuse to follow Federal statutes, regulations, or Secretarial delegations of authority and must give deference to published guidance to the extent not inconsistent with statute or regulation.”  Id. § 160.508(c)(1).

Before the ALJ, “[t]he respondent has the burden of going forward and the burden of persuasion with respect to any:  (i) [a]ffirmative defense . . .; (ii) [c]hallenge to the amount of a proposed penalty . . . including any factors raised as mitigating factors; or (iii) [c]laim that a proposed penalty should be reduced or waived . . .; and (iv) [c]ompliance with subpart D of part 164” (governing notifications of breaches of protected health information).  Id. § 160.534(b)(1).  OCR, which acts on the Secretary’s behalf, “has the burden of going forward and the burden of persuasion with respect to all other issues, including issues of liability other than with respect to subpart D of part 164, and the existence of any factors considered aggravating factors in determining the amount of the proposed penalty.”  Id. § 160.534(b)(2). 

Any party to the ALJ hearing may appeal the ALJ’s decision to the Board, which “may decline to review the case, or may affirm, increase, reduce, reverse or remand any penalty determined by the ALJ.”  Id. § 160.548(g). 

Case background

The following facts are taken from the ALJ’s findings and the record and are not in dispute.¹ 

Page 4

The GCCC resident (the Affected Party (AP) in the ALJ Decision) had resided at GCCC since February 2018.  On March 12, 2019, the resident’s daughter (the “complainant” under the regulations, see, e.g., 45 C.F.R. § 160.306(b)(3)), who held power of attorney, signed the AP out of GCCC and brought the AP to the emergency department of an acute care hospital.  The next day, March 13, 2019, the complainant visited the GCCC facility and requested, in writing, a copy of the AP’s medical records.  ALJ Decision at 4-5 (citing R. Ex. 1, at 37, 39; and OCR Ex. 4, at 2). 

On April 1, 2019, Secrest responded by mail to the complainant’s record request stating that Secrest “‘handles all records requests for’ the facility” and was in possession of hard copies of the records, demanding payment of $467.50 to begin copying the AP’s medical records, and citing the rate of fifty cents per page provided by Oklahoma statute for records not maintained and copied electronically.  ALJ Decision at 5 (quoting or citing OCR Ex. 9, at 1).  For the next 10 months, Secrest, on Respondent’s behalf, continued to condition the copying and production of the medical records on receipt of $467.50 for hard copies, and then $200 for electronic copies (also pursuant to Oklahoma law), despite repeated communications from OCR explaining the Privacy Rule requirements to provide copies of records promptly at fees limited to reasonable costs of copying and production, before Secrest finally relented and provided the complainant a compact disc containing the medical records on January 30, 2020.² Id. at 5-8 (citing, inter alia, OCR Ex. 10, at 1, 3; and OCR Ex. 15, at 1).

In the interim, OCR opened an investigation in response to two complaints the complainant filed with OCR in April and May 2019, including one questioning how Respondent was able to provide the AP’s medical records “to an attorney[’]s office,” and requested information from Respondent about its relationship with Secrest and about its finances, which Secrest mostly refused to provide (such as a requested federal tax return).  ALJ Decision at 5‑8 (citing OCR Ex. 3, at 1; OCR Ex. 5, at 1; OCR Ex. 12, at 1-2, 5-12; OCR Ex. 14, at 1-2; and OCR Ex. 23, at 2).  Secrest did send OCR a “July 2019 Income Statement” for GCCC and a copy of a written business associate agreement between GCCC and Secrest that had been executed September 20, 2019, and maintained its “‘objection to providing [a] Federal Tax Return for [GCCC].’”  Id. at 7-8 (quoting or citing OCR Ex. 24 at 1, 3-10).  

On January 16, 2020, OCR informed Respondent via Secrest that its investigation had determined that Respondent violated the Privacy Rule by denying the complainant timely access to records, seeking a fee that was not reasonable or cost based, and failing to have

Page 5

a written business associate agreement with Secrest.³  ALJ Decision at 8 (citing OCR Ex. 14, at 1-2; OCR Ex. 14, at 1-2 (OCR letter Jan. 16, 2020); and citing 45 C.F.R. §§ 164.524(b)(2), (c)(4), 164.502(e)).  OCR also enclosed a resolution agreement and corrective action plan.  Id. (citing OCR Ex. 14).  Secrest in response denied any violation of the requirement to provide records timely for no more than a reasonable cost, stated that it had corrected the failure to have a business associate agreement, and argued, among other things, that “OCR is helping to perpetuate a fraud and malicious activity by [the AP], by failing to complete an objective forthright review of the evidence and [the AP’s] claims.”  R. Ex. 4, at 3 (Jan. 31, 2020 letter, underlining omitted).  Secrest thus rejected the proposed resolution agreement and “OCR’s offer to impose a $333,000 penalty upon GCCC.”⁴ Id. at 1.

After further correspondence with Secrest, OCR issued a March 30, 2021 notice of proposed determination that found Respondent liable for a “Maximum Potential CMP” of $4,071,131, comprising $3,511,789 for the violation of 45 C.F.R. § 164.524(b)(2) (timely response to record request) based on willful neglect not corrected in 30 days for a total of 245 days from May 30, 2019 to January 29, 2020; $59,522 for a single violation of section 164.524(c)(4) (limiting fees to reasonable costs) based on willful neglect not corrected in 30 days; and $500,000 for the violation of section 164.502(e) (business associate agreement) based on six years of noncompliance at the culpability level of reasonable cause and not willful neglect.⁵  OCR Ex. 21, at 9-12; ALJ Decision at 2, 9-10.

OCR, however, imposed “a reduced CMP of $250,000,” citing “the impact of the COVID‑19 public health emergency on nursing homes generally” and GCCC’s claim of financial hardship, notwithstanding GCCC’s failure to provide audited financial statements in response to OCR’s request.  OCR Ex. 21, at 9.

Page 6

The ALJ Decision

The ALJ proceedings were marked by “significant delay” due to a six-month “protracted and acrimonious discovery process” over Secrest’s “frivolous claim that Phoenix Healthcare, LLC d/b/a Green Country Care Center was not the Respondent” and Secrest’s “role as representative for GCCC, while also being a potential witness and party.”  ALJ Decision at 5 n.5, 11.  On January 24, 2022, the ALJ ordered the parties to address those issues and afforded Secrest the opportunity to “file notice of its intent to withdraw from representation in lieu of a response” if “‘based on its analysis of the issues presented’” in the order “‘Secrest determines that withdrawal from representation is appropriate.’”  Id. at 11 (quoting Jan. 22, 2022 Order).  Secrest filed a notice of intent to withdraw as counsel on February 3, 2022, and Respondent obtained substitute counsel.  Id.   

OCR subsequently filed a combined pre-hearing brief and motion for summary judgment, and 54 proposed exhibits including the written direct testimony of two witnesses, and Respondent filed a response to OCR’s motion (cited as “R. ALJ Br.”) and nine proposed exhibits, including two witness affidavits.  ALJ Decision at 11.  The ALJ determined that an in-person hearing was unnecessary because Respondent did not seek to cross-examine OCR’s witnesses, and because the affidavits of Respondent’s two witnesses, whom OCR sought to cross-examine, did not contain disputed or relevant and material facts.  Id. at 12-14.  The ALJ also found it unnecessary to rule on OCR’s motion for summary judgment.  Id. at 14 n.13.

The ALJ Decision states that the issues were:

1. Whether Respondent violated 45 C.F.R. § 164.524(b)(2) between May 30, 2019 and January 29, 2020, and if so, whether the penalty tier is willful neglect.

2. Whether Respondent violated 45 C.F.R. § 164.524(c)(4) on July 1, 2019, and if so, whether the penalty tier is willful neglect.

3. Whether Respondent violated 45 C.F.R. § 502(e) from March 30, 2015, through September 19, 2019, and if so, whether the penalty tier is reasonable cause.

4. Whether a $250,000 CMP is justified.

ALJ Decision at 14. 

The ALJ concluded that Respondent violated 45 C.F.R. § 164.524(b)(2) at the willful neglect level “when it did not timely provide the complainant with the requested copy of

Page 7

the AP’s medical records within 30 days of April 30, 2019, the date OCR initially provided written notice to Respondent regarding the complaint and pending request for an electronic copy of the AP’s records” (id. at 14-19), and violated section 164.524(c)(4) at the willful neglect level on July 1, 2019, “when it sought $200 for an electronic copy of the AP’s records, which is more than $150 more than the unrefuted ‘reasonable, cost-based fee’ for the AP’s medical records” (id. at 19-21). 

The ALJ rejected Respondent’s arguments that it “allowed the complainant an opportunity to ‘inspect’ the records herself” and “provided timely access to the records, and the complainant simply failed to take the necessary action (e.g., pay the requested fee and pick up the records).”  ALJ Decision at 16 (citing R. ALJ Br. at 12-13).  The ALJ noted that complainant had “requested a copy of the AP’s records,” as the regulations permit, not merely an opportunity “to stand at the nursing station” to inspect them, and held that “[b]y conditioning its fulfillment of the records request on either payment of $467.50 (for a hard copy) or $200 (for an electronic copy), which the complainant was unwilling to pay because the amounts were not reasonable and cost-based, Respondent did not provide the requested records.”  Id. at 16-17 (citing 45 C.F.R. §§ 164.524(a)(1) (“[A]n individual has a right of access to inspect and obtain a copy of [PHI] about the individual” (ALJ’s italics)) and 164.524(b)(2)(i)(A) (requiring a covered entity to “provide the access requested”)).

The ALJ further concluded that Respondent violated 45 C.F.R. § 164.502(e) when it did not enter into a written business associate agreement with Secrest until September 20, 2019, even though Respondent had engaged Secrest as a business associate since 2000, and that the violation was at the culpability level of reasonable cause that is not willful neglect.  ALJ Decision at 21-22.  The ALJ found that Respondent’s claim that it was unaware of the requirement for a written business associate agreement prior to OCR’s September 18, 2019 letter was “belied by Respondent’s own 2014 policy” titled “Business Associate Agreements” permitting it to disclose PHI “upon the business associate’s signing a written agreement to appropriately safeguard such protected information” and defining “business associate” to encompass Secrest.  Id. at 23 (quoting OCR Ex. 43, at 1).

Regarding the CMP, the ALJ concluded that the $250,000 CMP amount was “not based on an adequate evaluation of all factors” listed in the regulations and that a CMP of $75,000 “is warranted based on evaluation” of the factors.  Id. at 24.

We address the ALJ Decision in greater detail in our analysis below.

Standard of Review

“The standard of review on a disputed issue of fact is whether the initial decision of the ALJ is supported by substantial evidence on the whole record.  The standard of review on a disputed issue of law is whether the decision is erroneous.”  45 C.F.R. § 160.548(h).

Page 8

Analysis

Respondent does not dispute the ALJ’s factual findings and has not appealed the ALJ’s conclusions that it violated 45 C.F.R. § 164.524(b)(2) and (c)(4) “when it did not timely provide the complainant with the requested copy of the AP’s medical records within 30 days of April 30, 2019, the date OCR initially provided written notice to Respondent regarding the complaint and pending request for an electronic copy of the AP’s records” and “when it sought $200 for an electronic copy of the AP’s medical records, more than $150 more than the unrefuted ‘reasonable, cost-based fee’” for the records.  ALJ Decision at 14, 19.  Nor does Respondent appeal the ALJ’s conclusions that it violated section 164.502(e) by “not enter[ing] into a written business associate agreement with [Secrest] until September 20, 2019” and “is liable for its violation of 45 C.F.R. § 164.502(e) from no earlier than March 30, 2015, which is six years prior to the date OCR issued its notice of proposed determination.”  Id. at 21-22.  We thus summarily affirm those conclusions.

Respondent’s list of the ALJ’s findings and conclusions it disputes includes, “Respondent does not challenge OCR’s determination that the penalty level for its violation of 45 C.F.R. § 160.502(e) is at the reasonable cause level of culpability,” but Respondent presents no argument about that finding, which we also summarily affirm.  ALJ Decision at 23; Respondent’s Notice of Appeal and Written Brief in Support (R. Br.) at 3; 45 C.F.R. § 160.548(h).⁶  Similarly, while Respondent states that it disputes the specified “findings of fact and conclusions of law,” R. Br. at 3, its brief does not dispute any actual findings of fact and addresses only the ALJ’s conclusions of law as applied to the facts the ALJ found. 

For the reasons below, we conclude that Respondent has shown no error in the ALJ Decision.

• I.     The ALJ’s conclusion that Respondent “acted with willful neglect” when it failed to provide timely access to records and sought a fee that was not “reasonable and cost-based” is free of legal error.

Respondent appeals the ALJ’s conclusion that its violations of the requirements to timely provide requested records at fees limited to reasonable costs (45 C.F.R. § 164.524(b)(2),

Page 9

(c)(4)) were at the “willful neglect” culpability level.  As discussed below, Respondent has shown no error in the ALJ’s conclusion.

HIPPA and the Privacy Rule regulations set out the increasing culpability levels for violations:  the violator “did not know” and “by exercising reasonable diligence would not have known” that they violated the requirements; violations “due to reasonable cause and not to willful neglect”; and violations “due to willful neglect.”  42 U.S.C. § 1320d‑5(a)(1); 45 C.F.R. § 160.404(b)(2).  “Willful neglect” violations further comprise two levels:  those corrected, and those not corrected, “during the 30-day period beginning on the first date” the violator “knew, or, by exercising reasonable diligence, would have known,” that the violation occurred.  45 C.F.R. § 160.404(b)(2)(iii)-(iv).  Here, there is no dispute that Respondent did not correct its violations of the requirements within 30 days. 

Each culpability level authorizes increasing minimum per-day CMPs for the violations.  45 C.F.R. §§ 160.404, 160.406.  We address the CMP amounts in section II of this analysis.

Respondent argues that its violations of the record-request requirements did not constitute willful neglect because it committed them in reliance on the advice of its counsel and business associate, Secrest, on whom it also relied to respond to requests for medical records and to inquiries and correspondence from OCR, which it forwarded to Secrest, and thus lacked mens reas for the violations.  R. Br. at 3-8.  Respondent argues, e.g., that Secrest “handled Respondent’s medical records requests and owed a duty to Respondent to act in conformity with HIP[A]A requirements on behalf of Respondent” and that it “relied on the advice of its counsel at the time,” Secrest, “to comply with the applicable laws and regulations, and to advise Respondent of the manner in which to respond to both the Complainant and OCR.”  R. Br. at 4, 6, 7.

The ALJ rejected these arguments, finding that “the evidentiary record demonstrates that Respondent was squarely notified that its actions, as of April 30, 2019, could be in violation of the Privacy Rule and how it could comply with the Privacy Rule.”  ALJ Decision at 18 (citing R. ALJ Br. at 15).  “The fact that Respondent disregarded this advice and passed the letter on to the same counsel whose actions triggered OCR’s intervention in this matter,” the ALJ held, “evidences, at a minimum, a ‘reckless indifference’ to its obligations under HIPAA.”  Id. (citing 45 C.F.R. § 160.401, defining “willful neglect” as including “reckless indifference to the obligation to comply with” Privacy Rule requirements).  We agree.

As the ALJ noted, the April 30, 2019 OCR letter notified Respondent “that it had received a complaint alleging that Respondent had ‘charged her an amount other than a reasonable, cost-based fee in response for access to an electronic copy of her medical records’” and, “[c]iting 45 C.F.R. § 164.524(c)(4) . . . explained, in pertinent part, that a

Page 10

‘reasonable, cost-based fee’ may only include the actual cost of labor, supplies, and postage, even if additional costs are allowable under state law.”  ALJ Decision at 6 (quoting OCR Ex. 10, at 1, 3).  The ALJ also noted that the OCR letter “encouraged the privacy officer to ‘assess and determine whether there may have been any noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future,’” and “cautioned that if [OCR] were to ‘receive a similar allegation of noncompliance . . . in the future, [it] may initiate a formal investigation of that matter.’”  Id. (quoting OCR Ex. 10, at 3).

The ALJ further observed that “OCR, in its April 30, 2019 letter to Respondent, unambiguously explained that the complainant was, in fact, seeking an electronic copy of the AP’s medical records” and “also pointedly explained that a covered entity may only request a ‘reasonable, cost-based fee’ for records and that, pursuant to 45 C.F.R. § 164.524, the fee may only include the cost of labor, supplies, and postage, regardless of whether state law authorizes other costs,” but that “Respondent disregarded this guidance.”  ALJ Decision at 15.  The ALJ also pointed out that on June 25, 2019, OCR notified GCCC that it had opened an investigation after the complainant had filed a second complaint with OCR about the fee demand and the failure to offer digital copies, and also asking why GCCC had shared the AP’s records with its law firm.  Id. at 6 (citing OCR Ex. 5, at 1), 15. 

The ALJ accordingly found that this record “indicates that even after OCR informed Respondent on April 30, 2019, that the complainant was seeking an electronic copy of the AP’s records and that only a ‘reasonable, cost-based fee’ could be collected for an electronic copy of the records, Respondent nonetheless did not provide the requested records until January 30, 2020.”  ALJ Decision at 16. 

Respondent has not alleged that any information in OCR’s April 30, 2019 letter (or in the Privacy Rule regulations) is ambiguous, subject to reasonable contrary interpretations, or required counsel’s guidance to understand, nor has it alleged that its then-counsel, Secrest, ever advised that said information was incorrect or that Respondent was in compliance notwithstanding OCR’s admonitions.  We thus agree with the ALJ that Respondent’s continued refusal to provide the requested records at reasonable fees, and its disregard or flouting of the advice in OCR’s April 30, 2019 letter, “evidences, at a minimum, a ‘reckless indifference’” of its obligations under HIPAA and the Privacy Rule.  ALJ Decision at 18 (citing 45 C.F.R. § 160.401).

On appeal, Respondent reiterates the arguments it made below but has shown no error in the ALJ’s conclusion.  Respondent continues to blame Secrest for the prolonged failure to provide the requested records unless the complainant paid fees in excess of reasonable costs, arguing that the ALJ findings “entirely minimize the efforts taken by Respondent to comply with the applicable requirements and infers a mens rea element contrary to thought process initiated by Respondent to provide Complainant with her mother’s

Page 11

medical records and comply with OCR’s demands.”  R. Br. at 7.  Respondent thus asserts that “it did not know, and could not have reasonably known, while relying on the advice of its counsel that it would run afoul of HIP[A]A while complying with the applicable state statute.”  Id. at 8.

As the covered entity, however, Respondent was responsible for complying with the Privacy Rule requirements and may not shield itself from violations of those requirements by delegating the responsibility for compliance, and the consequences of failing to do so, to its business associate law firm.  See ALJ Decision at 19 (“Respondent is a covered entity, and a covered entity is required to comply with HIPAA.”); 45 C.F.R. § 160.402(c)(1) (“A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.”).  Secrest is not a party to this CMP action and any culpability it may bear for Respondent’s non-compliance is not at issue here.  Mens rea, additionally, is a concept from criminal common law, which does not guide our analysis of remedies imposed for violations of the civil law and regulations here.  See Black’s Law Dictionary (11th ed. 2019) (defining mens rea as “[t]he state of mind that the prosecution, to secure a conviction, must prove that a defendant had when committing a crime” and “the second of two essential elements of every crime at common law”).

Respondent also does not identify the efforts it says it took to comply with the applicable Privacy Rule requirements, beyond apparently forwarding the complainant’s requests and OCR’s communications to Secrest for disposition as Secrest saw fit.  Respondent has not shown that it sought or received Secrest’s advice about either the Privacy Rule’s requirements for responding to record requests or OCR’s notices to Respondent about those requirements.  The record contains no correspondence between Respondent and Secrest, and the written testimony of Respondent’s two witnesses, a Secrest paralegal and GCCC’s administrator, does not reflect any communication between Respondent and Secrest prior to OCR’s imposition of CMPs.  R. Exs. 2, 8. 

The only apparent advice from Secrest that Respondent cites “was that state law had contemplated HIP[A]A requirements in enacting 76 [Okla. Stat.] § 19,” the provision permitting fees of fifty cents per page for hard copies and thirty cents per page (to a maximum of $200) for electronic copies of medical records, “and thus, in complying with 76 [Okla. Stat.] § 19, Respondent was also in compliance with HIP[A]A.”  R. Br. at 7-8.  Before the ALJ, Respondent cited Secrest’s January 31, 2020 letter to OCR, which cites the Oklahoma law’s reference to “business associates as the term is defined in” 45 C.F.R. § 160.103, and the Oklahoma law’s prohibition on certain fees (to search, retrieve, review and prepare medical records) when requested by the patient, which Secrest stated was “to accommodate HIPAA.”  R. Ex. 4, at 4 (citing Okla. Stat. tit. 76, § 19(A)(2)).  The Oklahoma law cites the Privacy Rule regulation only for its definition of business associate and does not acknowledge the Privacy Rule fee limitations and timely response

Page 12

requirements at issue here, and Respondent does not demonstrate how this reference in the state statute reasonably supports the conclusion that Respondent could disregard OCR’s notices and the language of the regulations.

Absent any showing that Respondent sought and received counsel’s advice in declining to fulfill the record requests timely and at reasonable costs, Respondent has not met its burden of establishing an advice-of-counsel defense.  See Adel A. Kallini, MD, DAB No. 3021, at 20-23 (2020) (holding that a physician excluded from all federal health care programs by the HHS Office of the Inspector General for filing false claims did not show that he sought or received advice from counsel or proved all elements of an advice-of-counsel defense); 45 C.F.R. § 160.534 (respondent has the burden of going forward and the burden of persuasion with respect to any affirmative defenses); Kallini at 8 n.5 (advice-of-counsel defense is an affirmative defense).⁷

Respondent also argues that Secrest “handled Respondent’s medical records requests and owed a duty to Respondent to act in conformity with HIP[A]A requirements on behalf of Respondent,” because under Part 164 “[b]usiness associates make a myriad of promises to covered entities” including “the promise to apprise the covered entity of a violation, the agreement to bind its agents to the same contractual terms, and a guarantee to offer patients their rights to access and amend their health care information.”  R. Br. at 3-4 (citing 45 C.F.R. § 164.504(e)(2)(ii)(B)-(F)).  As OCR points out, however, at the time that Respondent commenced its refusal to provide the requested records without advance payment of excessive fees, Secrest had not agreed to accept those responsibilities in a written business agreement with Respondent, which was not entered into until September 20, 2019.

We see no error in the ALJ’s conclusion that Respondent acted with reckless indifference, and thus willful neglect, when it “failed to ensure that its business associate complied with the Privacy Rule, particularly after receiving correspondence from OCR,” and that Respondent “had direct knowledge that the actions of its business associate were possibly violative of the law and had triggered an OCR investigation, yet it made no effort to ensure compliance with HIPAA.’”  ALJ Decision at 18, 21. 

As OCR also notes, Respondent’s own policy for the “Uses and Disclosures” of PHI requires that any fee received by the facility “in exchange for PHI that is permitted by

Page 13

law will be reasonable and based on the cost to prepare and transmit the PHI.”  OCR Ex. 35, at 2; OCR Br. at 19.  Maintenance of a policy that appears to incorporate the Privacy Rule’s limit on permissible fees, in light of OCR’s communications with Respondent, undermines Respondent’s claim that it could reasonably believe that its response to the requests for the AP’s records was in compliance with the Privacy Rule requirements just because Secrest failed to inform it otherwise.

Respondent also downplays its culpability by attributing its continued failure to comply with the applicable Privacy Rule requirements after receiving OCR’s April 30, 2019 letter to a single employee, asserting that “such decision to pass along the letter from OCR was entirely within the confines of the relationship between a single employee at a nursing facility and its business associate attorney who was hired for the sole purpose of addressing and responding appropriately, to the letter from OCR.”  R. Br. at 6.⁸

To the extent Respondent asserts that this single employee forwarded OCR’s April 30, 2019 letter to Secrest without reading it, or without informing the facility or Respondent’s management of its contents, nothing in Respondent’s exhibits supports this assertion.  While Respondent does not identify its employee who forwarded OCR’s April 30, 2019 letter to Secrest, the ALJ noted that the letter was addressed to GCCC’s privacy officer (initials JJ), who was also GCCC’s administrator.  ALJ Decision at 6 n.6; OCR Ex. 22, at 1 (July 18, 2019 Secrest letter identifying JJ as GCCC’s privacy officer); R. Ex. 8 (JJ affidavit, Apr. 30, 2020).  The privacy officer’s affidavit addresses only GCCC’s financial condition and says nothing about OCR’s April 30, 2019 letter or any other OCR communication prior to January 20, 2020.  R. Ex. 8.

Respondent cites no authority permitting a covered entity to rely on the conduct or negligence of a single employee to deny knowledge of the contents of written notifications from federal authorities charged with enforcing legal requirements applicable to its operations (such as OCR or the Center for Medicare & Medicaid Services (CMS)).  Respondent also does not suggest that another employee forwarded the letter to Secrest such that the administrator or privacy officer was unaware of its contents.  We note, by analogy, that in SNF appeals of sanctions CMS imposes for noncompliance with Medicare participation requirements (i.e., standards for care of SNF residents), the Board has rejected facility arguments that they are not liable for employee misconduct that is outside the scope of employment under the common-law doctrine of respondeat superior.  Cf. Kindred Transitional Care & Rehab – Greenfield, DAB No 2792, at 11-14 (2017) (finding SNF facing CMPs for violating Medicare participation requirements liable for prohibited conduct (or misconduct or inaction) of its agents, and noting that

Page 14

“[t]he statute acts to impose responsibility on facilities for the misconduct of their staff and agents in violation of federal participation standards, even that of which facility owners or management may not be aware”); see also Life Care Ctr. of Gwinnett, DAB No. 2240, at 13 n.9 (2009)  (“[T]he Act and regulations make a facility responsible for the actions of its staff because it is those actions which comprise the care the residents receive.”  (internal quotation marks omitted)).  That principle applies with additional force here, where the handling of OCR notices and correspondence was certainly not outside the scope of employment of any of Respondent’s officers or other employees charged with handling such correspondence on its behalf. 

Respondent thus cannot disavow responsibility for any unawareness of the content of the April 30, 2019 letter, as well as OCR’s subsequent correspondence.  Such a result could enable covered entities to minimize potential consequences of Privacy Rule violations by declining to read and consider the content of OCR’s notices, letters and other communications they forward to business associates.

                            

We thus find no error in the ALJ’s determination that Respondent’s deliberate (i.e., willful) disregard of that notice, as well as OCR’s subsequent notices (most of which were sent to Respondent at GCCC), constituted willful neglect of Respondent’s obligations under the Privacy Rule.  The record does not show either that Respondent “did not know” and, “by exercising reasonable diligence, would not have known” that it violated the Privacy Rule requirements at issue, or that the violations were “due to reasonable cause and not to willful neglect,” the culpability levels lower than “willful neglect.”  42 U.S.C. § 1320d‑5(a)(1); 45 C.F.R. § 160.404(b)(2).  

• II.     The ALJ’s conclusion that a CMP of $75,000 “is warranted based on evaluation of the factors listed at 45 C.F.R. § 160.408” is free of legal error.

The ALJ concluded that the $250,000 CMP was “not based on an adequate evaluation of all factors listed at 45 C.F.R. § 160.408” and that a CMP of $75,000 “is warranted based on evaluation” of the factors.  ALJ Decision at 24.  Respondent appeals the latter conclusion.  R. Br. at 8-12. 

The applicable regulation states:

160.408 Factors considered in determining the amount of a civil money penalty.

In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate:

Page 15

• (a)    The nature and extent of the violation, consideration of which may include but is not limited to:
  • (1)    The number of individuals affected; and
  • (2)    The time period during which the violation occurred;
• (b)    The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
  • (1)    Whether the violation caused physical harm;
  • (2)    Whether the violation resulted in financial harm;
  • (3)    Whether the violation resulted in harm to an individual’s reputation; and
  • (4)    Whether the violation hindered an individual’s ability to obtain health care;
• (c)    The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to:
  • (1)    Whether the current violation is the same or similar to previous indications of noncompliance;
  • (2)    Whether and to what extent the covered entity or business associate has attempted to correct previous indications of noncompliance;
  • (3)    How the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort; and
  • (4)    How the covered entity or business associate has responded to prior complaints;
• (d)    The financial condition of the covered entity or business associate, consideration of which may include but is not limited to:
  • (1)    Whether the covered entity or business associate had financial difficulties that affected its ability to comply;

Page 16

• • (2)    Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide, or to pay for, health care; and
  • (3)    The size of the covered entity or business associate; and
• (e)    Such other matters as justice may require.

45 C.F.R. § 160.408. 

OCR imposed “a reduced CMP” of $250,000, “using the discretion contemplated by 45 C.F.R. 160.408(d) and (e).”  OCR Ex. 21, at 9.  Regarding factor (d) (financial condition), OCR found that GCCC “provided some evidence that it has a financial hardship that would make payment of a CMP difficult,” based on a “a single income statement from July 2019” for GCCC only, and the GCCC administrator’s testimony that the facility was “in receivership” and would be driven out of business by the $333,000 CMP that OCR proposed in the resolution agreement and corrective action plan it sent Respondent on January 16, 2020.  Id.  Regarding factor (e) (other matters as justice may require), OCR noted “the impact of the COVID-19 public health emergency on nursing homes generally.”  Id.

Regarding factor (d) (financial condition) and (e) (other matters as justice may require) that the OCR notice addressed, the ALJ found that “Respondent has not claimed that OCR improperly exercised its discretion pursuant to 45 C.F.R. § 160.408(e)” and “has not offered any specific argument that OCR did not adequately consider its financial condition as required.”  ALJ Decision at 24-25.  The ALJ further found that Respondent “failed to acknowledge, much less address, OCR’s claims that Respondent currently has the financial resources to pay the $250,000 CMP” and “failed to fully cooperate with OCR’s efforts to assess its financial condition and ability to pay prior to the issuance of the notice of proposed determination.”  Id. (italics in original) (citing OCR Exs. 45 (documentation of receipt and forgiveness of $3.5 million Paycheck Protection Loan) and 54 (federal tax returns)).  In this regard, the ALJ found that the affidavit of the GCCC administrator “addressed the financial status of ‘Green Country Care Center,’ and not Phoenix Healthcare, LLC, which operates several skilled nursing facilities, to include Green Country Care Center” and that “the proprietor of Phoenix Healthcare, LLC collectively reports the income of its skilled nursing facilities in a single federal tax return.”  Id. at 13 & n.11.  Respondent thus did not meet its burden of establishing the existence of this factor as mitigating.  45 C.F.R. § 160.534(b)(1)(ii) (respondent has the burden of going forward and the burden of persuasion with respect to “any factors raised as mitigating factors”). 

Page 17

The ALJ also found that while OCR “explicitly addressed 45 C.F.R. § 160.408(d) and (e)” in its proposed determination, it “did not address its evaluation of the factors outlined at” (a) through (c).  ALJ Decision at 25, 27.  The ALJ addressed those other factors and concluded that “fact-specific circumstances presented here” – single incident, mistaken reliance on state law – “warrant a CMP lower than the proposed CMP of $250,000.”  Id. at 25 (ALJ’s italics).  The ALJ noted – 

• While Respondent “violated multiple provisions of the Privacy Rule and did so at the willful neglect and reasonable cause penalty tiers,” the violations “distill down to a single, albeit prolonged and significant, incident in which Respondent, which did not have a written agreement with a longstanding law firm business associate, sought to overcharge the complainant by approximately $150 and did not request a ‘reasonable, cost-based fee’ for an electronic copy of the AP’s records.”⁹ 

• “[A]lthough Respondent disregarded OCR’s technical guidance regarding the ‘reasonable, cost-based fee,’ the amount requested by Respondent was based on a state law governing access to medical records in Oklahoma” and Respondent thus “violated HIPAA when it, through its business associate, predicated timely access to records on the payment of fees authorized by state law but not allowable under HIPAA.”

Noting “a dearth of jurisprudence addressing the Privacy Rule issues” in the case “as demonstrated by the fact that neither party cited to a court decision addressing an individual’s right of access to PHI” and OCR’s failure to “offer any comparative examples of other CMPs imposed under similar circumstances,” the ALJ next found “the majority” of the factors at (a)-(c) were “inapplicable or weigh in favor of Respondent,” id. at 25-26, 29, as follows:

Section 160.408(a), the nature and extent of the violation, including the number of individuals affected and the time period of the violation.  “The length of the violations is a factor in my determination that a significant, albeit reduced, CMP of $75,000 is justified,” as “[o]nly one individual was adversely affected” and OCR imposed “sizeable daily CMPs” for each of two violations that “persisted for a lengthy period of time.”  Id. at 27 (citing OCR Ex. 21, at 9).

Page 18

Section 160.408(b), (f), the nature and extent of the harm resulting from the violation, including whether it caused physical, financial, or reputational harm, and whether the violation hindered an individual’s ability to obtain health care.  The ALJ found only the last harm factor relevant, and that OCR “failed to draw a connection between the considerable delay in access to the AP’s [records] with the AP being hindered in her ability to receive care following her discharge from the facility, and there is simply no support for OCR’s claim in its briefing that an evaluation of 45 C.F.R. § 160.408(b)(4) weighs against Respondent.”  Id. at 27-28.

Section 160.408(c), the covered entity’s/business associate’s history of prior compliance, including “[w]hether the current violation is the same or similar to previous indications of noncompliance,” “[w]hether and to what extent the covered entity or business associate has attempted to correct previous indications of noncompliance,” and “[h]ow the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort.”  The ALJ found relevant only that “Respondent did not respond to the technical guidance from the Secretary regarding the present complaints” and that as a result Respondent’s “daily violations, with associated CMPs, continued for many months.”  ALJ Decision at 18.  The ALJ “considered this failure as a factor supporting the imposition of a significant CMP of $75,000,” and noted this “disregard of OCR’s technical guidance as evidence of the level of culpability (i.e., willful neglect).”  Id.  The ALJ found that “factors such as repeat noncompliance and efforts to attempt to correct previous indications of noncompliance” were “both inapplicable to the present circumstances because there is no reported history of past noncompliance.”  Id.

The ALJ then concluded that “a CMP of $75,000 is an appropriate CMP based on consideration of the factors at 45 C.F.R. § 160.408 as they apply to the specific facts and circumstances presented in this case.”¹⁰ Id. at 29.

Respondent argues that the $75,000 CMP the ALJ imposed is “excessive given the factors contemplated for imposition of a CMP as applied to the facts and circumstances in this case.”  R. Br. at 8.  Respondent compares the CMP to others imposed in two resolution agreements and argues that the ALJ did not apply listed factors that are mitigating.  Id. at 9-12.  None of these arguments demonstrate error in the ALJ Decision.

Page 19

Regarding the factor at 45 C.F.R. § 160.408(a) (“The nature and extent of the violation, consideration of which may include but is not limited to . . . [t]he number of individuals affected; and . . . [t]he time period during which the violation occurred”), Respondent notes the ALJ’s finding that “[o]nly one individual was adversely affected by this violation.”  R. Br. at 9; ALJ Decision at 27.  The ALJ, however, applied this factor in reducing the proposed CMP (after noting that OCR had not addressed it), and considered that only one person’s records were involved, and Respondent has not demonstrated why this factor renders the reduced amount unreasonable. 

Also regarding this factor, Respondent argues that “[i]t should not be lost upon [the Board’s] consideration that the purpose of the Complainant’s request was for purposes of filing a lawsuit.”  R. Br. at 9.  Even if correct this contention would not diminish Respondent’s culpability for its ongoing refusal to provide the requested records at permissible fees after being apprised of the Privacy Rule requirements.  Notwithstanding the potential broadness of the factor “the nature and extent of the violation,” Respondent cites nothing to indicate that it includes the reasons for which an affected party seeks access to their medical records, and certainly nothing permitting a covered entity to delay fulfilling records requests to forestall or obstruct the filing of civil actions regarding medical care the covered entity provided.  Respondent, moreover, does not accurately state the entirety of the record concerning the complainant’s motivation for seeking her mother’s medical records in the immediate aftermath of her transfer from GCCC to an acute care hospital.  While an OCR memorandum documenting a phone call to the complainant on January 7, 2020 states that the complainant “would still like a copy of [the AP’s] medical records because [the complainant] wants to take action against the doctor [at GCCC] who discontinued [the AP’s] diabetes shots,” as the ALJ noted, documentation of an earlier OCR phone call on June 20, 2019 states that the complainant sought the records so that the AP “can receive appropriate care,” as the ALJ also noted.  OCR Ex. 6, at 3; OCR Ex. 16, at 1; ALJ Decision at 6, 8.  The two reasons for the record request are not inconsistent or contradictory – it is eminently reasonable that the immediacy of the need for the records to facilitate continuity of care could diminish over time.

In arguing that factors were not properly considered, Respondent cites the ALJ’s determination that the factor at section 160.408(c) (the “history of prior compliance . . . including violations”) was “inapplicable . . . because there is no reported history of past noncompliance.”  ALJ Decision at 28; R. Br. at 11; see also 78 Fed. Reg. 5,566, 5,585 (Jan. 25, 2013) (“[W]e agree that an entity’s history of compliance – not only a history of noncompliance – is important, and will consider such a factor.”).  OCR, however, found in its notice of proposed determination that since 2000, Respondent had engaged Secrest as a business associate without the written agreement that section 164.502(e) required before Respondent could share PHI with Secrest.  OCR Ex. 21, at 3, 6; see also OCR Br. at 26 (“Respondent had shared PHI with the Secrest firm before entering into a written business associate agreement with that firm, in violation of section 164.502(e), for nearly

Page 20

20 years.”).  OCR calculated the CMP for that violation beginning on March 30, 2015 (at the “reasonable cause” culpability level), because it was precluded from imposing a CMP unless the action is commenced within six years from the date of the violation.  OCR Ex. 21, at 2, 7, 12; 45 C.F.R. § 160.414.  Additionally, as the ALJ noted, OCR’s notice does not address the factor at 160.408(c).  This evidence indicates a history of noncompliance that OCR did not take into account in determining the CMP.

We also note that prior to imposing remedies, OCR invited Respondent “to submit written evidence of any mitigating factors (45 C.F.R. § 160.408) or affirmative defenses (45 C.F.R. § 160.410) for OCR’s consideration in a determination of a civil money penalty.”  OCR Ex. 17, at 2; 45 C.F.R. § 160.534(b)(1)(ii).  Secrest in its May 5, 2020 response on behalf of Respondent did not assert a prior history of compliance with Privacy Rule requirements.  OCR Ex. 18.  The ALJ, moreover, reduced the CMP amount by two thirds.  In light of these considerations, we conclude that any error by the ALJ in deeming two of the considerations in the “history of prior compliance” factor inapplicable was harmless.

Respondent also argues that the CMP “far exceeds” the amounts that two covered entities – a diagnostic laboratory and a primary care provider – agreed to pay in resolution agreements ($16,500 and $20,000) for “similar violations where similar amounts of time had passed” before the covered entities provided the records.  R. Br. at 9-10 (citing resolution agreements published on the hhs.gov HIPAA website¹¹).  As OCR notes, however, the Board has held, in appeals of sanctions CMS imposes on SNFs for noncompliance with Medicare participation requirements, that “[c]ase-to-case comparisons generally have little value given the unique circumstances of each case and the myriad factors that must be considered,” and that “[i]t would be almost impossible to make any true comparisons of different cases since the underlying facts of noncompliance vary considerably, as do the other factors.”  Western Care Mgmt. Corp., d/b/a Rehab Specialties Inn, DAB No. 1921, at 94 (2004); Alexandria Place, DAB No. 2245, at 31 (2009); OCR Br. at 27.  As we observed in Vibra Hospital of Charleston - TCU, “[t]he regulatory factors do not require CMS to compare the facts of one case to other cases to determine the CMP amount.”  DAB No. 3094, at 31 (2023) (citing Crawford Healthcare & Rehab., DAB No. 2738, at 21 (2016) and 42 C.F.R. § 488.438(e)(3) in rejecting “the contention that the CMPs imposed here should be reduced based on a comparison of CMPs imposed in other cases”).  The regulations here also do not call for comparisons with other cases in setting CMP amounts.  See 42 C.F.R. § 160.408.

Page 21

“While we reject the contention that the CMPs imposed here should be reduced based on a comparison of CMPs imposed in other cases,” Vibra at 31, we also note dissimilarities in the cited cases.  In addition to both involving resolution agreements and agreements by the covered entities to implement corrective action plans, each concerned only one violation, the failure to grant timely access, instead of the three violations here, and the violations occurred over shorter time periods.  OCR, moreover, cites four cases involving failure to timely provide requested records in which it issued notices of proposed determination that involved CMPs higher than what the ALJ sustained here.  OCR Br. at 29.  Such variation of cases and their particular circumstances, and Respondent’s failure to show that the two cases it cites are representative of the universe of cases that could be cited for comparison, tend to confirm our view of the limited value of comparisons and our conclusion that Respondent has not shown that the substantially reduced CMP the ALJ imposed is unreasonable. 

Respondent also reiterates its argument that it relied on the advice of counsel; we considered and rejected that argument in sustaining the ALJ’s determination that Respondent’s culpability for the violations of section 164.524 constituted willful neglect.

In sum, the ALJ reduced by two thirds the CMP that OCR imposed and, for the reasons discussed above, Respondent has not shown any error by the ALJ in imposing a total CMP of $75,000 for Respondent’s failures, at the willful neglect culpability level, to refuse for some 10 months to provide the AP’s records, and to do so for reasonable fees, in violation of 45 C.F.R. § 164.524(b)(2) and (c)(4), and its long-term failure, at the reasonable cause that is not willful neglect culpability level, to have a written business associate agreement with Secrest, in violation of section 164.502(e).  Respondent has not shown that the ALJ erred.

Conclusion

We affirm the ALJ Decision and the $75,000 CMP the ALJ imposed.

Endnotes

¹  This summary is not intended to present new findings of fact.  We refer the reader to the ALJ Decision for a more detailed narrative of the facts.  

²  Respondent stated below that it sent the records to complainant at no charge.  R. ALJ Br. at 24.  This has no bearing on our analysis given that Respondent does not contest the ALJ’s determination that Respondent “violated 45 C.F.R. § 164.524(c)(4) on July 1, 2019, when it sought $200 for an electronic copy of the AP’s records, which is more than $150 more than the unrefuted ‘reasonable, cost-based fee’ for the AP’s medical records.”  ALJ Decision at 19 (bold italics omitted).

³  Regarding the costs of producing the AP’s records, OCR asserted below that Respondent used an electronic medical record-keeping system, rendering per-page photocopying unnecessary; that the total cost to send a compact disc with an electronic copy of the AP’s medical records would not have exceeded $21.88; and that even if some portion of these records was maintained exclusively on paper, copying them would have cost no more than $25.76.  OCR Motion for Summary Judgment/Prehearing Brief (OCR ALJ Br.) at 14-15, 20-21; see also ALJ Decision at 20 (noting that “Respondent does not refute these calculations, nor does it offer an explanation of how the $200 it requested for an electronic copy of the AP’s records was, in fact, based on a ‘reasonable, cost-based fee.’”).  OCR based these determinations, which Respondent does not contest, on information about Respondent’s staff and equipment costs that Respondent’s replacement counsel provided in response to the ALJ’s August 29, 2022 Order Directing Respondent To Produce Discovery, following Secrest’s withdrawal as Respondent’s counsel.  OCR ALJ Br. at 20-21; R. Notice of Compliance with Aug. 29, 2022 Order (filed Sept. 16, 2022).

⁴  The resolution agreement and corrective action plan are not among the record exhibits.  See OCR Ex. 14 (OCR Jan. 16, 2020 letter to Secrest listing the resolution agreement and corrective action plan as enclosures); R. Ex. 8, at 1 (GCCC administrator affidavit referencing penalty of $333,000 proposed in the resolution agreement).

⁵  OCR stated Respondent had been in violation of the requirement for a written business associate agreement since 2000, but that “it is precluded [by 45 C.F.R. § 160.414] from imposing a CMP unless the action is commenced within six years from the date of the violation.”  OCR Ex. 21, at 2, 3 6.

⁶  Respondent later states, “To the extent that the ALJ decision did not take into account that Respondent does in fact challenge OCR’s determination that the violation was at the reasonable cause level of culpability is incorrect based on Respondent’s continued contention that any such violation in this matter was not done with willful neglect.”  R. Br. at 5 (italics in original).  Respondent’s brief and the context of this statement, however, make clear that the referenced violation is of the requirements for responding to record requests at section 164.524(b)(2), (c)(4).  Respondent argues only that these violations were not at the willful neglect culpability level, and its brief contains no argument concerning the violation of the requirement for a written business associate agreement at section 164.502(e), and no argument that culpability for any violation was at a level lower than reasonable cause.

⁷  OCR argued that Respondent failed to establish the elements of the advice-of-counsel defense recognized by federal case law, which OCR described as including “a written, well-reasoned legal opinion that cited relevant authorities”; that counsel was given “information needed to arrive at an informed opinion”; and that counsel “were competent to advise on the Privacy Rule’s right of access.”  OCR Br. at 20-23 (citing cases).  Respondent did not reply to this argument before the Board, despite requesting and receiving an opportunity to file a reply to OCR’s brief in response to Respondent’s appeal and brief.

⁸  The assertion that Respondent’s business associate attorney – Secrest – was hired for the sole purpose of addressing and responding to OCR’s letter is not consistent with Secrest’s earlier representation that it “handles all record requests” for Respondent.  OCR Ex. 9, at 1.

⁹  The ALJ noted here that “had the complainant opted to promptly pay the $200 requested on July 1, 2019, in order to quickly obtain access to the requested medical records, the duration of the CMP” – meaning the portion based on 245 days of noncompliance with 45 C.F.R. § 164.524(b)(2) (timely response to record request) – “may  have been shortened by many months, as Respondent would have provided access prior to January 30, 2020.”  ALJ Decision at 25 n.25.  By the same token, Respondent could have shortened that portion of the maximum CMP by timely providing the records to the complainant while still seeking the requested fee from the complainant.

¹⁰  The ALJ also noted that a federal court of appeals decision reversing Privacy Rule CMPs imposed for disclosure of PHI cited the defendant HHS’s inability to prove factors such as physical, financial, and reputational harm, and hinderance of an individual’s ability to obtain health care.  ALJ Decision at 26, 29 (citing Univ. of Tex. M.D. Anderson Cancer Ctr. v. U.S. Dep’t of Health & Human Servs., 985 F.3d 472, 481 (5th Cir. 2021)).  The court reversed a Board decision upholding $4-million-plus CMPs that OCR imposed in connection with the theft and loss of a laptop and two thumb drives containing unencrypted PHI of some 35,000 individuals.  The Univ. of Tex. MD Anderson Cancer Ctr., DAB No. 2927 (2019), vacated and remanded, 985 F.3d 472.

¹¹ https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/life-hopes-ra-cap/index.html;  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/health-specialists-ra-cap/index.html.