OCR issues 50th HIPAA right of access enforcement action

The HHS Office for Civil Rights resolved its 50th HIPAA right of access enforcement action with Gums Dental Care, a solo dental practice in Maryland. Following an investigation, OCR imposed a $70,000 civil monetary penalty against Gums Dental Care.

The investigation stemmed from a May 2019 complaint to OCR in which an individual alleged that she had made a request to Gums Dental for copies of her and her minor children's protected health information (PHI) on April 8, 2019.

Gums Dental responded to the request by providing information about how many times each of the patients involved in the request had visited the office but failed to provide an electronic copy of the PHI as requested.

OCR sent a letter to Gums Dental explaining HIPAA right of access provisions and encouraging it to train its workforce on right of access provisions. However, in July 2019, the same complainant made another request and did not receive a response, causing her to file another complaint with OCR in August 2019.

OCR reached out to Gums Dental again but did not receive a response to its data request letters. In October 2020, OCR received an email from a dentist at the practice, who explained that the complainant had refused to pay a $25 fee to have the medical records delivered via mail. Additionally, the dentist said she believed that the complainant was seeking the records in order to commit insurance fraud.

OCR's investigation determined that the complainant's refusal to pay the $25 fee was not a valid reason to deny the request, since the complainant had requested that the information be sent electronically.

What's more, a covered entity is not permitted to require an individual to provide a reason for requesting access to their medical records. If the patient does provide a reason, that reason cannot be the basis for denying access, OCR concluded.

Essentially, HIPAA right of access provisions require covered entities to provide the individual with access to their PHI in the format they requested, at a reasonable cost and within 30 days of the initial request. Exceptions to this rule are rare, but account for extreme circumstances, such as instances where the access is "reasonably likely" to endanger the life or safety of another person.

"An essential hallmark of HIPAA is the right to patients' timely access to their medical records. Patients should not have to make multiple requests and file complaints with HHS' Office for Civil Rights to get their own medical records," said OCR Director Melanie Fontes Rainer in a press release.

"This investigation marks OCR's 50th right of access enforcement action. Health care providers should get the message -- loud and clear -- when a patient seeks their medical information, you must provide it to them, period."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.