Sent via Certified Mail, Return Receipt Requested and
July 13, 2021
Dr. Anthony DeCeanne
A.C.P.M. Podiatry Group, Ltd.
5017 N. Glen Park Pl.
Peoria, IL 61614
Re: A.C.P.M. Podiatry Group, Ltd.
OCR Transaction Number: 19-343845
Notice of Proposed Determination
Dear Dr. DeCeanne:
Pursuant to the authority delegated by the Secretary of the United States Department of Health and Human Services (“HHS”) to the Office for Civil Rights (“OCR”), we are writing to inform you that OCR is proposing to impose a civil money penalty (“CMP”) of $100,000 against A.C.P.M. Podiatry Group, Ltd. (“ACPM”).
This proposed action is being taken under regulations promulgated as authorized by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), § 262(a), Pub.L. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Public Law 111-5, Section 13410, codified at 42 U.S.C. § 1320d-5, and under 45 C.F.R. Part 160, Subpart D.
I. The Statutory Basis for the Proposed CMP
The Secretary of HHS is authorized to impose CMPs (subject to the limitations set forth at 42 U.S.C. § 1320d-5(b)) against any covered entity, as described at 42 U.S.C. § 1320d-1(a), that violates a provision of Part C (“Administrative Simplification”) of Title XI of the Social Security Act. See HIPAA, § 262(a), as amended, 42 U.S.C. § 1320d-5(a). This authority includes imposing CMPs for violations of the applicable provisions of the Federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Notification Rule (45 C.F.R. Parts 160 and 164, Subpart D) pursuant to Section 264(c) of HIPAA. The Secretary has delegated enforcement responsibility for the HIPAA Rules to the Director of OCR. See 65 Fed. Reg. 82,381 (Dec. 28, 2000) and 74 Fed. Reg. 38630 (July 27, 2009). The Secretary is authorized under the HITECH Act § 13410, 42 U.S.C. § 1320d-5(a)(3), to impose CMPs for violations occurring on or after February 18, 2009,1 of:
- A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
- A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
- A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
- A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
- As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.2 The adjusted amounts are applicable only to CMPs whose violations occurred after November 2, 2015.
OCR is precluded from imposing a CMP unless the action is commenced within six years from the date of the violation.3
II. Findings of Fact
- ACPM is a “covered entity” as defined at 45 C.F.R. § 160.103, and, as such, is required to comply with the requirements of the HIPAA Privacy, Security and Breach Notification Rules.
- ACPM has offices in Peoria and Canton, Illinois, and is listed on the UnityPoint Health website.4
- ACPM creates, maintains, receives, and electronically transmits the protected health information (“PHI”) of patients who receive health care services from ACPM. ACPM accepts Medicare and participates in most insurance networks.
- The HIPAA Privacy Rule provide that an individual generally has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set. See 45 C.F.R. §164.524(a)(i).
- The HIPAA Privacy Rule requires that a covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. See 45 C.F.R. §164.524(b)(i).
- The HIPAA Privacy Rule also requires that a covered entity must act on a request for access no later than 30 days after receipt of the request by taking one of the actions set forth in the provision. See 45 C.F.R. § 164.524(b)(ii).
- On April 8, 2019, OCR received an initial complaint from Richard Lindsey (“Complainant”), an individual alleging he was a former ACPM patient and that ACPM refused to provide him with his requested medical records.
- On April 18, 2019, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR’s technical assistance letter informed ACPM of an individual’s right to access the individual’s PHI maintained by a covered entity in a designated record set, for as long as the PHI is maintained in the designated record set (e.g., medical or billing records). 45 CFR § 164.524(a)(1).
- The letter also informed ACPM that a covered entity must act on the request for access no later than 30 days after receipt of such a request and, in certain circumstances, no later than 60 days after the receipt of such a request. 45 C.F.R. § 164.524(b)(2). The technical assistance letter informed ACPM that a covered entity may not withhold or deny an individual access to his PHI on the grounds that the individual has not paid the bill for health care services which the covered entity provided to the individual.
- The Complainant was also notified by letter dated April 18, 2019, that OCR closed its investigation informally through the provision of technical assistance to ACPM. The letter directed the Complainant to contact OCR if he continued to experience the issues described in his complaint.
- On May 19, 2019, OCR received a second complaint from the Complainant alleging that ACPM still had not provided him with a copy of his medical records.
- The Complainant alleges that ACPM failed to respond to oral requests made in September and October 2018 for a copy of his medical records.
- The Complainant further alleges that on November 13, 2018, while at ACPM’s Peoria office, he submitted a written request for a copy of his medical records to be provided to him.
- The Complainant alleges he inquired about his request in December 2018, and that an ACPM employee informed him that ACPM was not trying to refuse his request, but had a lot of surgeries to complete before year end.
- The Complainant alleges on January 23, 2019, he inquired about his access request again, and that Dr. Anthony DeCeanne (“Dr. DeCeanne”) stated to the Complainant that the Complainant’s insurance had not paid the bill, and if the insurance doesn’t pay, ACPM would not release the records.
- The second complaint also alleges that on April 24, 2019, the Complainant went to ACPM to inquire about his access request and an ACPM employee named Ashley told him, “We still have your request and we have you[r] number.”
- The Complainant asserts that he needed the requested medical records to appeal an unfavorable decision made by his health insurance company for the payment of a bill related to treatment provided by ACPM to the Complainant. The Complainant’s deadline to appeal his health insurance company’s determination was July 2, 2019.
- By certified mail dated June 14, 2019, OCR notified ACPM in writing of the May 19, 2019 complaint and issued a data request. The data request included a request for information from ACPM including whether ACPM provided the Complainant with the requested medical records, and a copy of ACPM’s policy regarding providing access to medical records.
- The data request letter again informed ACPM of an individual’s right to inspect and obtain a copy of the PHI about the individual in a designated record set, for as long as the PHI is maintained in the designated record set, under the Privacy Rule (45 CFR § 164.524(a)(1)). The Privacy Rule generally requires HIPAA covered entities (e.g., health plans and most health care providers) to provide individuals, upon request, with access to the PHI about them in one or more “designated record sets” maintained by the covered entity.
- The data request informed ACPM that it could do any of the following: (a) respond to the allegation; (b) submit evidence indicating that it was not a covered entity or business associate subject to the Privacy Rule; (c) submit evidence that the alleged violation did not occur as described by the Complainant; (d) submit evidence that ACPM’s action complied with the Rule; or (e) that ACPM took prompt and effective action to correct the noncompliance. OCR requested that ACPM respond to OCR’s data request letter by June 29, 2019.
- ACPM did not respond to the data request by June 29, 2019
- When ACPM did not respond within the requested timeframe, OCR made follow-up calls to ACPM on July 2, 2019, and July 9, 2019. On both occasions, OCR spoke with Ashley, a workforce member at ACPM, who assured OCR that Dr. DeCeanne had received OCR’s data request letter.
- During the July 9, 2019 call, Ashley confirmed to OCR that she spoke with Dr. DeCeanne regarding this matter after her call with OCR on July 2, 2019.
- On July 16, 2019, OCR sent ACPM a letter via certified mail informing ACPM of its responsibility to cooperate with OCR’s investigation, pursuant to 45 C.F.R. § 160.310(b). With this letter, OCR enclosed a copy of the June 14, 2019, data request, and requested that ACPM submit its responses to OCR within ten days of the July 16, 2019 letter. OCR also requested that ACPM contact the investigator assigned to the case to arrange for the production of the data requested by OCR.
- ACPM failed to respond to OCR’s June 14, 2019 data request letter nor did ACPM contact the investigator assigned to this case.
- On July 28, 2020, the Complainant notified OCR that he received a copy of his medical records from ACPM on July 23, 2020 (618 days after the Complainant’s November 13, 2018, written access request). The Complainant asserts that the records received are incomplete.
- On November 9, 2020, OCR issued a Letter of Opportunity to ACPM via email and certified mail, return receipt requested. The letter informed ACPM that OCR’s investigation indicated that ACPM failed to comply with 45 C.F.R. 164.524(b)(2) of the HIPAA Privacy Rule and that the matter has not been resolved by informal means despite OCR's attempts to do so. The letter stated that, pursuant to 45 C.F.R. § 160.312(a)(3), OCR was informing ACPM of the preliminary indications of non-compliance and providing ACPM with an opportunity to submit written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404. The letter stated that ACPM could also submit written evidence to support a waiver of a CMP for the indicated areas of non-compliance. Each act of noncompliance under the Privacy Rule was described in the letter. OCR requested that ACPM respond to the letter within thirty (30) calendar days from the date of the letter, calculated pursuant to 45 C.F.R § 160.526.
- OCR received the requested return receipt showing that ACPM received the Letter of Opportunity on November 13, 2020.
- To date, ACPM has not provided a response to the Letter of Opportunity and therefore has not provided any written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404. ACPM also did not submit any written evidence to support a waiver of a CMP for the indicated areas of non-compliance.
- OCR obtained the authorization of the Attorney General of the United States prior to issuing this Notice of Proposed Determination to impose a CMP.
III. Basis for CMP
Based on the above findings of fact, we have determined that ACPM is liable for the following violation of the HIPAA Privacy Rule and, therefore, is subject to a CMP.
- ACPM failed to provide timely access to medical records in violation of 45 C.F.R. § 164.524(b)(2) after lawful request for such records from the Complainant. The appropriate penalty tier for this violation from May 18, 2019,5
to July 21, 2020,6
is willful neglect, uncorrected, as follows:
- Calendar Year 2019- May 18 to December 31, 2019: 227 days X $59,522= $13,571,016, capped at $1,785,561
- Calendar Year 2020- January 1 to July 21, 2020: 202 days X $59,522= $12,023,444, capped at $1,785,561
IV. No Affirmative Defenses
By OCR’s November 9, 2020 Letter of Opportunity, OCR offered ACPM the opportunity to provide written evidence of affirmative defenses within thirty (30) days from the date of the letter. To date, ACPM has not provide a response.
V. Factors Considered in Determining the Amount of the CMP
In determining the amount of the CMP, OCR has considered the factors listed at 45 C.F.R. § 160.408, as applicable. By its November 9, 2020 Letter of Opportunity, OCR offered ACPM the opportunity to provide written evidence of mitigating factors under 45 C.F.R. § 160.408. ACPM did not provide a response. Nevertheless, OCR has considered the factors listed at 45 C.F.R. § 160.408 as follows:
1) Nature and Extent of the Violation
While the violation only affected one individual, the length of the violation was substantial. OCR’s investigation revealed that ACPM did not fulfill the Complainant’s access requests until 618 days after the Complainant’s November 13, 2018, written access request.
2) Nature and Extent of Harm Resulting from Violation
ACPM’s delay in providing the requested records to the Complainant caused him financial harm as the Complainant did not have the medical records needed to appeal an unfavorable decision made by his health insurance company.
3) History of Prior Compliance with the Administrative Simplification provisions, including violations
Before investigating the subject complaint in this action, OCR received two additional complaints alleging a violation of the Privacy Rule’s right of access standard. Specifically, on April 8, 2019, OCR received the Complainant’s first complaint regarding this matter. On April 18, 2019, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard, as stated above, and closed the Complainant’s April 8, 2019 complaint. Despite having received notice of the complaint and OCR’s technical assistance regarding its compliance obligations, ACPM did not provide Complainant with access to his records until Complainant filed another complaint with OCR and OCR initiated its investigation. Two years prior, on November 8, 2017, OCR received a complaint from a patient of Dr. DeCeanne, Rebecca Rosekopf, alleging that despite numerous requests for a copy of her medical records, ACPM had not provided her with the requested medical records. On December 17, 2017, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard similar to the technical assistance provided in the Complainant’s April 8, 2019 complaint, and closed the matter. OCR has considered these two complaints in determining the amount of the CMP.
4) Financial Condition of ACPM
As ACPM did not provide OCR with any information regarding its financial condition, OCR reviewed available information, including ACPM”s Medicare reimbursements from January 1, 2014 through April 14, 2020, which total $2,236,156, and has considered this information in determining the amount of the CMP. Please see table below for the annual Medicare reimbursements that ACPM received from January 1, 2014 to April 14, 2020.
|Year||ACPM’s Medicare Reimbursement Amount|
|2020 through April 14, 2020||$42,324|
While ACPM did not provide any evidence of mitigating factors for OCR to consider in proposing a CMP, OCR also considered the impact of the COVID-19 public health emergency on the health care industry, OCR is using the discretion contemplated by 45 C.F.R. § 160.408 (d) and (e), to propose a reduced CMP of $100,000.
OCR has determined that there is no basis for waiver of the proposed CMP amount as set forth at 45 C.F.R. § 160.412. In its November 9, 2020 Letter of Opportunity, OCR described OCR’s findings and ACPM’s violation of the HIPAA Privacy Rule and provided ACPM an opportunity to submit written evidence to support a waiver of a CMP. ACPM did not provide a response.
VII. Amount of CMP
A. Amount of CMP Per Violation
OCR finds that ACPM is liable for a CMP for violating the following requirement of the Privacy Rule:
Timely Action by the Covered Entity – 45 C.F.R. § 164.524(b)(2). The CMP amount is based on 45 C.F.R. § 160.404(b)(2)(iv) [Willful neglect not corrected within 30 days].
B. Total Amount of CMP
The maximum CMP amount that could be imposed on ACPM with regard to the violation described is $3,571,302 (See attached chart). However, based on OCR’s evaluation of the factors listed in 45 C.F.R. § 160.408, OCR has determined that a CMP of $100,000.00 is warranted in this matter.
VIII. Right to a Hearing
ACPM has the right to a hearing before an administrative law judge to challenge the proposed CMP. To request a hearing to challenge the proposed CMP, you must mail a request, via certified mail with return receipt request, under the procedures set forth at 45 C.F.R. Part 160 within 90 days of your receipt of this letter. Such a request must: (1) clearly and directly admit, deny, or explain each of the findings of fact contained in this notice; and (2) state the circumstances or arguments that you allege constitute the grounds for any defense, and the factual and legal basis for opposing the proposed CMP. See 45 C.F.R. § 160.504(c). If you wish to request a hearing, you must submit your request to:
Department of Health & Human Services
Departmental Appeals Board, MS 6132
Civil Remedies Division
330 Independence Ave, SW
Cohen Building, Room G-644
Washington, D.C. 20201
Telephone: (202) 565-9462
Serena Mosley-Day, Senior Advisor
Office for Civil Rights
200 Independence Avenue, SW
Hubert H. Humphrey Building
Washington, D.C. 20201
A failure to request a hearing within 90 days permits the imposition of the proposed CMP without a right to a hearing under 45 C.F.R. § 160.504 or a right of appeal under 45 C.F.R. § 160.548. If you choose not to contest this proposed CMP, you should submit a written statement accepting its imposition within 90 days of receipt of this notice.
If ACPM does not request a hearing within 90 days, then OCR will notify you of the imposition of the CMP through a separate letter, including instructions on how you may make payment, and the CMP will become final upon receipt of such notice.
If you have any questions regarding this matter, please contact Emily Crabbe, Advisor for HIPAA Compliance and Enforcement at (404) 562-7878 or at email@example.com.
Enclosures: Appendix A (CMP Chart)
- 1. For violations occurring on or after November 3, 2015, HHS may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015. The annual inflation amounts are found at 45 C.F.R. § 102.3
- 2. See Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Sec. 701 of Public Law 114-74.
- 3. 45 C.F.R. § 160.104
- 4. https://www.unitypoint.org/peoria/provider.aspx?id=3261&clinicid=1095.
- 5. Although ACPM was obligated to respond to the Complainant within 30 days of his initial request, OCR is beginning the calculating of this violation 30 days after it provided ACPM technical assistance regarding its obligations.
- 6. On July 21, 2020, ACPM mailed the Complainant a copy of his medical records.