NYSDA Publications

OCR Takes HIPAA Action Against Dental Practice

Oct 21, 2024

Per the notice below, the United States Office for Civil Rights (OCR) has taken action against a dental practice for failing to provide timely access to patient records under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HHS Office for Civil Rights Imposes a $70,000 Civil Monetary Penalty Against Gums Dental Care for Failure to Provide Timely Access to Patient Records

The civil money penalty marks OCR’s 50th HIPAA Right of Access enforcement action

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $70,000 civil monetary penalty against Gums Dental Care, LLC (Gums Dental Care), a solo dental practice in Maryland that provides family dental care, as a result of an investigation based on a complaint that Gums Dental had failed to provide a patient with timely access to their medical records.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee.

“An essential hallmark of HIPAA is the right to patients’ timely access to their medical records.  Patients should not have to make multiple requests and file complaints with HHS’ Office for Civil Rights to get their own medical records,” said OCR Director Melanie Fontes Rainer.  “This investigation marks OCR’s 50th right of access enforcement action.  Health care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow relating to the privacy and security of protected health information.  The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.  This is a critical part of HIPAA and patient’s empowerment with their data.

OCR first received a complaint alleging that Gums Dental Care had failed to provide the complainant access to her and her children’s medical records.  OCR sent a technical assistance letter notifying Gums Dental Care of its obligation to respond to requests for medical records and closed the complaint.  After the complainant filed a second complaint alleging Gums Dental Care had still not provided complainant with access to the requested records, OCR opened an investigation.  OCR’s investigation found that Gums Dental Care failed to take timely action in response to the patient’s right of access request.  Specifically, Complainant submitted written requests for the records in April 2019, and again in June 2019, but Gums Dental Care did not attempt to provide the records until May 2022.  In March 2022, OCR issued a Notice of Proposed Determination seeking to impose a $70,000 civil monetary penalty.  Gums Dental Care challenged OCR’s Notice of Proposed Determination and requested a hearing before an Administrative Law Judge (ALJ).  On September 29, 2023, the ALJ imposed a $70,000 civil monetary penalty.  Gums Dental Care appealed the decision, and on March 22, 2024, the Departmental Appeals Board affirmed the Decision.  Accordingly, OCR imposed the $70,000 civil monetary penalty in a Notice of Final Determination.  The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gums-dental-care-npd/index.html.

OCR’s guidance on the HIPAA right of access is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.  OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.  Guidance about the Privacy RuleSecurity Rule, and Breach Notification Rule can also be found on OCR’s website.  If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.