The US Department of Health and Human Services' Office for Civil Rights (OCR) issued a $70,000 penalty to Gums Dental Care in Silver Spring, MD, for not providing timely access to a patient’s health records.
Gums Dental Care failed to respond to multiple requests from a patient for copies of her and her children’s health records, violating HIPAA's Right of Access. On April 8, 2019, the patient requested the records be sent via email, but no records were provided. Instead, the practice responded with an email confirming the number of visits to the practice, which did not satisfy the request. After waiting nearly a month without further response, the patient filed a complaint with OCR on May 1, 2019.
The OCR consequently provided Gums Dental Care with technical support, including advice to immediately provide the requested records if valid. However, despite a follow-up request from the patient in June 2019 and a second complaint to OCR on August 2, 2019, the dental practice did not provide the records.
Gums Dental Care argued that the records were not delivered because the patient had not paid a $25 administration fee, which they claimed covered the cost of mailing the records via certified mail. Further, the practice owner, Dr. Anna Gumbs, suggested the patient intended to commit insurance fraud by resubmitting already-paid claims to another insurer.
“An essential hallmark of HIPAA is the right to patients’ timely access to their medical records. Patients should not have to make multiple requests and file complaints with HHS’ Office for Civil Rights to get their own medical records,” explains OCR Director Melanie Fontes Rainer.
Furthermore, “This investigation marks OCR’s 50th right of access enforcement action. Health care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”
Under HIPAA’s Right of Access provisions, patients have the right to obtain their health records promptly and in the format they request, where feasible. Providers can charge a reasonable, cost-based fee for labor, supplies, and postage. However, fees must align with the method of delivery requested by the patient.
In this case, the $25 fee for certified mail was deemed inappropriate because the patient requested her records by email, which incurs minimal cost. Additionally, suspicions of insurance fraud or inability to use secure email systems do not permit a provider to refuse access under HIPAA.
Read also: What are HIPAA Right of Access provisions?
Patients have the right to access their health information, and healthcare practices must have the necessary processes and secure systems to meet these legal obligations. As HIPAA enforcement increases, providers must regularly undergo training and adhere to compliance protocols.
Healthcare providers cannot delay or obstruct patients’ access to their own medical records. Furthermore, using a HIPAA compliant email solution like Paubox helps providers avoid costly penalties and uphold patient rights.
Go deeper: How to handle patient data requests
No, regular email services, like Gmail and Outlook, are not secure. Instead, providers must use a HIPAA compliant emailing platform, like Paubox, to safeguard patients' protected health information (PHI).
An email is HIPAA compliant when it meets the HIPAA requirements for protecting sensitive patient information. Therapists must use a HIPAA compliant emailing platform, like Paubox, which offers encryption, access controls, and audit trails to safeguard patients' mental health information and mitigate data breaches.
Additionally, Paubox signs a business associate agreement (BAA) with the healthcare entity to ensure HIPAA compliance.
Yes, providers can send attachments, like PDFs and documents, using a HIPAA compliant emailing platform, like Paubox, which automatically encrypts attachments.