Ever had a root canal that felt less painful than dealing with bureaucracy? Well, buckle up, because in this episode, we sink our teeth into the 50th patient right of access enforcement action under HIPAA. That’s right—50 cases since 2019, and somehow, this one involving Dr. Gumb (yes, really) and a dental records dispute is the most absurd of the bunch. From a refusal to hand over records to racking up government fines like trading cards, this saga is a wild reminder of what happens when compliance takes a backseat.
In this episode:
Gumming Up the Works: Dental Record Request Nightmare – Ep 481
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
[04:32]
A company’s remote-working hire turned out to be in North Korea. He tried to hold it to ransom.
According to BBC News, the company hired the technician as a contractor after he had falsified his employment history and personal details.
Early into his four-month employment, he used remote-work tools to infiltrate the company’s systems, downloading a large amount of company data, per Secureworks.
Secureworks said the worker was later dismissed for poor performance and that, soon after, the company began receiving emails with attachments containing evidence of stolen data.
It said the company also received an email demanding a six-figure sum in cryptocurrency to not publish it or sell the information online.
Firm hacked after accidentally hiring North Korean cyber criminal
Gumming Up the Works: Dental Record Request Nightmare
[14:56] Today, we’re tackling the 50th HIPAA Right of Access enforcement action, and boy, does it have some teeth! Gums Dental Care learned the hard way what happens when you ignore patient requests for medical records and try to charge unnecessary fees. The result? A whopping $70,000 civil monetary penalty—and it could have been much worse. Join us as we unravel the timeline of this dental drama, explore the patient’s right to timely access, and discuss why HIPAA compliance is more critical than ever. Spoiler alert: don’t mess with patients’ records!For the 50th time, Patient Right of Access!
The civil money penalty marks OCR’s 50th HIPAA Right of Access enforcement action
Gums Dental Care, LLC Notice of Proposed Determination | HHS.gov
“An essential hallmark of HIPAA is the right to patients’ timely access to their medical records. Patients should not have to make multiple requests and file complaints with HHS’ Office for Civil Rights to get their own medical records,” said OCR Director Melanie Fontes Rainer. “This investigation marks OCR’s 50th right of access enforcement action. Health care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”
Timeline of this mess
April 8, 2019 – Request made for herself and her minor children to be sent electronically via email.
Gums Dental responded to the email request that same day with a statement of how many times each of them had visited the office but failed to provide the PHI requested.
May 1, 2019 complaint filed alleging that Gums Dental failed to provide complete copies of her and her minor children’s dental records
May 7, 2019 OCR told them they needed to provide records following HIPAA requirements and closed the complaint. This is the normal process – they tell them what HIPAA says and expect them to follow it unless they already know this group. Here is what they said the letter to the provider included:
The letter encouraged Gums Dental to share the technical assistance materials with its staff as part of its HIPAA workforce training, to assess and determine whether any noncompliance as alleged by the Complainant occurred, and to take any steps necessary to ensure noncompliance does not occur in the future. The letter also encouraged Gums Dental to review the facts of the Complainant’s request for access and provide access swiftly, if appropriate. Lastly, OCR notified Gums that if OCR should receive a similar allegation of noncompliance against it in the future, OCR may initiate a formal investigation of that matter.
June 26, 2019 another written request via email for copies of her and her children’s dental records was made. This time expressing a willingness to accept the records via email or paper records sent to her physical address.
August 2, 2019 another complaint was filed with OCR because they still had no records.
August 26, 2019 another written request via email to Gums Dental for copies of her and her children’s dental records. OCR noted that Gums Dental provided no evidence that they responded to this request either.
September 5, 2019 OCR sent a letter about the complaint and requested data including whether or not they had provided the requested records. They told them again that they must supply the records as requested.
Gums Dental did not respond to OCR’s data request letter.
Oct 8, 2019, OCR left a voicemail following up on the data request.
Oct 31, 2019, OCR left ANOTHER voicemail following up on the request for details.
[THEN COVID HAPPENED] [26:21]October 1, 2020, OCR sent a proposed resolution agreement and corrective action plan (RA/CAP) telling them they need to get the records to the patient. That letter would have mentioned the $75,000 for the first time.
On October 22, 2020, Dr. Anna Gumbs sent an email to OCR stating her justification for not providing the medical records to the Complainant, asserting that the Complainant refused to pay a flat fee of $25.00 to have the medical records mailed certified to the Complaint.
On October 27, 2020, in a phone call with OCR, Dr. Anna Gumbs stated that she wanted to present her case in front of a judge.
She also reiterated that the Complainant had refused to pay the aforementioned flat fee for the records, and also asserted her belief that the Complainant would use the records to commit insurance fraud.
November 9, 2020, Gums Dental stated in writing that the Complainant refused to pay a $25.00 administrative flat fee to mail the records securely and that Dr. Anna Gumbs believed that the Complainant wanted to resubmit claims to a secondary insurance for services that were fully covered under Maryland Medicaid.
OCR points out the following regarding these defenses from the doctor:
Since the Complainant requested that the medical records be sent electronically via email, a $25.00 administrative flat fee to mail the records via certified mail using the United States Postal Service would not be permissible for providing access under the Privacy Rule. Furthermore, even if Dr. Gumbs’s allegation that the Complainant wanted to submit a fraudulent claim was true, a covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access.
December 8, 2020, OCR issued a Letter of Opportunity (“LOO”) letting them know that their investigation found they failed to comply with the Privacy Rule. They were giving them an “opportunity” to submit written evidentiary documents of mitigating factors or affirmative defenses they should consider in making their CMP determinations.
January 4, 2021, the doctor responded with the assertion that the denial was done to prevent insurance fraud from happening which made it acceptable. It also says that they didn’t have secured website access to provide electronic copies of records and couldn’t email them unsecured.
OCR pointed out: There was no evidence provided that Gums Dental attempted to provide the records in any other alternate form and format. Even if email security was the issue.
This email thing goes back so far it is clear that they have never paid attention to what HIPAA requires, IMHO.
July 15, 2021, OCR obtained the authorization of the Attorney General of the United States prior to issuing this Notice of Proposed Determination to impose a CMP.
March 29, 2022 – OCR sends letter with Notice of Proposed Determination because Gums Dental has not responded to OCR’s data request letters or voicemails AT ALL
They even went out of their way to determine the CMP:
While Gums Dental has provided no evidence in response to OCR’s requests, through public information OCR has learned that Gums Dental is a solo practitioner dental provider that serves an urban and suburban community. The imposition of the maximum CMP would likely impact the ability of Gums Dental to provide dental care to its service area. Additionally, given the potential impact of the COVID-19 public health emergency on Gums Dental, OCR is using the discretion contemplated by 45 C.F.R. § 160.408(d) and (e), to impose a reduced CMP of $70,000.
[36:31]It really could have been out of business kind of money:
The total CMP amount that could be imposed on Gums Dental with regard to the violation described is $7,676,692 (See attached chart – Appendix A.) However, based on OCR’s evaluation of the factors listed in 45 C.F.R. § 160.408, OCR has determined that a CMP of $70,000 is warranted in this matter.
Even after that Gums Dental Care challenged OCR’s Notice of Proposed Determination and requested a hearing before an Administrative Law Judge!
September 29, 2023, the ALJ imposed a $70,000 civil monetary penalty. Gums Dental Care appealed the decision.
March 22, 2024, the Departmental Appeals Board affirmed the Decision.
It is being announced today but not sure if the money has been paid. Who knows how this could end up!
So, what’s the moral of this story? When the OCR comes knocking, it’s probably best to answer. The right of access is non-negotiable, whether you’re running a sprawling hospital or a solo dental practice. In the end, compliance isn’t just a legal requirement—it’s about patient care and trust. Because if you think not giving a patient their records is the hill to die on, you might find yourself sliding down a mountain of legal woes instead.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
