Gums Dental Care, LLC Notice of Proposed Determination

U.S. Department of Health and Human Services
Office for Civil Rights
Mid-Atlantic Region
801 Market Street Suite 9300
Philadelphia, PA 19107-3134
Voice - (800) 368-1019
TDD - (800) 537-7697
Fax - (215) 861-4431
http://www.hhs.gov/ocr

March 29, 2022

Via USPS Certified Mail, Return Receipt Requested, Sent on March 29, 2022, and via Personal Service

Dr. Anna Gumbs
Gums Dental Care, LLC 
8830 Cameron St. Suite #203 
Silver Spring, MD 20910

Sent via email to Gumsdentalcare@gmail.com

Re: Gums Dental Care, LLC
OCR Transaction Number: 19-352542

Notice of Proposed Determination

Dear Dr. Gumbs:

Pursuant to the authority delegated by the Secretary of the United States Department of Health and Human Services (“HHS”) to the Office for Civil Rights (“OCR”), I am writing to inform you that OCR is proposing to impose a civil money penalty (“CMP”) of $70,000 against Gums Dental Care, LLC. (“Gums Dental”).

This proposed action is being taken under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), § 262(a), Pub.L. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Public Law 111-5, Section 13410, codified at 42 U.S.C. § 1320d-5, and under 45 C.F.R. Part 160, Subpart D.

I. The Statutory Basis for the Proposed CMP

The Secretary of HHS is authorized to impose CMPs (subject to the limitations set forth at 42 U.S.C. § 1320d-5(b)) against any covered entity, as described at 42 U.S.C. § 1320d-1(a), that violates a provision of Part C (“Administrative Simplification”) of Title XI of the Social Security Act. See HIPAA, § 262(a), as amended, 42 U.S.C. § 1320d-5(a). This authority includes imposing CMPs for violations of the applicable provisions of the Federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Notification Rule (45 C.F.R. Parts 160 and 164, Subpart D). The Secretary has delegated enforcement responsibility for the HIPAA Rules to the Director of OCR. See 65 Fed. Reg. 82,381 (Dec. 28, 2000) and 74 Fed. Reg. 38630 (July 27, 2009). OCR is authorized under the HITECH Act § 13410, 42 U.S.C. § 1320d-5(a)(3), to impose CMPs for violations occurring on or after February 18, 2009,¹ of:

• A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
• A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
• A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
• A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
• As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.² The adjusted amounts are applicable only to CMPs whose violations occurred after November 2, 2015.

OCR is precluded from imposing a CMP unless the action is commenced within six years from the date of the violation.³

II. Findings of Fact

1. Gums Dental is a “covered entity” as defined at 45 C.F.R. § 160.103, and, as such, is required to comply with the requirements of the Privacy, Security and Breach Notification Rules.
2. Gums Dental is a solo dental practice that provides family dental care.
3. Gums Dental creates, maintains, receives, and transmits protected health information (“PHI”) related to patients who receive dental care services from its office.
4. On or about April 8, 2019, the Complainant made a written request to Gums Dental for copies of her PHI as well as the PHI of her minor children to be sent electronically via email. Gums Dental responded to the Complainant’s email request that same day with a statement of how many times each of them had visited the office but failed to provide the Complainant with the PHI requested.
5. OCR received a complaint with OCR (Transaction number 19-341840) on May 1, 2019, alleging that Gums Dental failed to provide the Complainant with complete copies of her and her minor children’s dental records
6. OCR closed the case by providing technical assistance and issuing a closure letter to Gums Dental on May 7, 2019.
7. The technical assistance included in OCR’s closure letter explained the right of access requirements pursuant to 45 C.F.R. § 164.524. The letter encouraged Gums Dental to share the technical assistance materials with its staff as part of its HIPAA workforce training, to assess and determine whether any noncompliance as alleged by the Complainant occurred, and to take any steps necessary to ensure noncompliance does not occur in the future. The letter also encouraged Gums Dental to review the facts of the Complainant’s request for access and provide access swiftly, if appropriate. Lastly, OCR notified Gums that if OCR should receive a similar allegation of noncompliance against it in the future, OCR may initiate a formal investigation of that matter.
8. On June 26, 2019, the Complainant made another written request via email for copies of her and her children’s dental records. Complainant expressed a willingness to accept the records electronically via email or paper records sent to her physical address. After receiving no records responsive to the request from Gums Dental, the Complainant filed a second complaint with OCR on August 2, 2019 (Transaction number 19-352542).
9. On August 26, 2019, the Complainant made another written request via email to Gums Dental for copies of her and her children’s dental records. Gums Dental did not provide any evidence to OCR that it responded to this request.
10. OCR notified Gums Dental in writing of the complaint and issued a data request letter on September 5, 2019. OCR requested data including whether the Complainant received access to her and her children’s medical records and a copy of Gums Dental’s policy regarding providing individuals with access to medical records.
11. The notification advised Gums Dental of OCR’s authority to collect information and ascertain a Covered Entity’s compliance with the Privacy Rule (45 CFR §§ 160.300 - 160.316).
12. Gums Dental did not respond to OCR’s data request letter.
13. OCR followed up on Gums Dental’s failure to respond to the previous data request with a voice mail left on October 8, 2019, and a subsequent call with Gums Dental on October 31, 2019.
14. On November 7, 2019, after not receiving a response to its data request, OCR sent another copy of its data request via certified mail.
15. To date, Gums Dental has not responded to OCR’s data request letters.
16. The Privacy Rule states that an individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record set,⁴ for as long as the PHI is maintained in the designated record set. 45 C.F.R. § 164.524(a).
17. A covered entity must act on a request for access no later than 30 days after receipt of the request. 45 C.F.R. § 164.524(b)(2)(i).
18. OCR’s investigation determined that Gums Dental had not provided the Complainant with the requested medical records in a timely manner pursuant to 45 C.F.R. § 164.524(b)(2). The request was made in writing on or about April 8, 2019. Gumbs Dental has still not provided the records as requested.
19. On October 1, 2020, OCR sent a proposed resolution agreement and corrective action plan (RA/CAP) to Gums Dental to resolve the potential HIPAA right of access violation.
20. On October 22, 2020, Dr. Anna Gumbs sent an email to OCR stating her justification for not providing the medical records to the Complainant, asserting that the Complainant refused to pay a flat fee of $25.00 to have the medical records mailed certified to the Complaint.
21. On October 27, 2020, in a phone call with OCR, Dr. Anna Gumbs stated that she wanted to present her case in front of a judge. She also reiterated that the Complainant had refused to pay the aforementioned flat fee for the records, and also asserted her belief that the Complainant would use the records to commit insurance fraud.
22. In a letter dated November 9, 2020, Gums Dental stated in writing that the Complainant refused to pay a $25.00 administrative flat fee to mail the records securely and that Dr. Anna Gumbs believed that the Complainant wanted to resubmit claims to a secondary insurance for services that were fully covered under Maryland Medicaid.
23. The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Since the Complainant requested that the medical records be sent electronically via email, a $25.00 administrative flat fee to mail the records via certified mail using the United States Postal Service would not be permissible for providing access under the Privacy Rule. Furthermore, even if Dr. Gumbs’s allegation that the Complainant wanted to submit a fraudulent claim was true, a covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access.⁵
24. OCR issued a Letter of Opportunity (“LOO”) on December 8, 2020, and informed Gums Dental that OCR’s investigation indicated that Gums Dental failed to comply with the Privacy Rule. The LOO stated that pursuant to 45 C.F.R. § 160.312(a)(3), OCR was informing Gums Dental of the preliminary indications of non-compliance and providing Gums Dental with an opportunity to submit written evidence of mitigating factors under 45 C.F.R.
    § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R.
    § 160.404. The LOO stated that Gums Dental could also submit written evidence to support a waiver of a CMP for the indicated areas of non- compliance. Each act of noncompliance was described in the letter.
25. The LOO was delivered to Gums Dental via certified mail and received by Gums Dental’s agent on December 24, 2020, as evidenced by United States Postal Service records, as well as by email on December 9, 2020.
26. Gums Dental responded to the LOO with a certified letter on January 4, 2021, again asserting that Dr. Gumbs’ refusal to provide the records to the Complainant was an acceptable denial because Dr. Gumbs was attempting to prevent alleged insurance fraud. In addition, Gums Dental asserted that the Complainant requested the records be emailed and Dr. Gumbs noted that she does not have a secure website to ensure adequate safeguards with electronic delivery of the medical records.
27. The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual. See 45 C.F.R. § 164.524(c)(2)(i). As such, even if Gums Dental was unable to email the Complainant the requested records securely, the Privacy Rule requires Gums Dental to provide the Complainant with a readable hard copy or another form and format as agreed to by Gums Dental and the Complainant. Accordingly, Gums Dental’s assertion that they do not have a secure website, and therefore could not provide the requested records by email does not relieve Gums Dental form the right of access requirement to provide the Complainant with the requested records. There was no evidence provided that Gums Dental attempted to provide the records in any other alternate form and format. Rather, Gums Dental failed to provide the records at all. As noted above, Gums Dental’s justifications for denying the Complainant’s requests for access were not permissible exceptions to the access provision of the Privacy Rule.
28. Gums Dental’s response to the LOO did not provide any written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404. Gums Dental also did not submit any written evidence to support a waiver of a CMP for the indicated areas of non- compliance.
29. On July 15, 2021, OCR obtained the authorization of the Attorney General of the United States prior to issuing this Notice of Proposed Determination to impose a CMP.

III. Basis for CMP

Based on the above findings of fact, OCR has determined that Gums Dental is liable for the following violation of the HIPAA Rules and, therefore, subject to a CMP.

Gums Dental failed to provide access to medical records in violation of 45 C.F.R.
§ 164.524(b)(2) after lawful requests for such records from its patient and repeated explanations of Gums Dental’s obligations to provide such records by OCR. The appropriate penalty tiers for this violation from August 26, 2019, to March 29, 2022, are willful neglect, uncorrected as follows:

Calendar Year 2019: 209 days from August 26, 2019, to December 31, 2019 (Maximum potential CMP of $1,919,173).
Calendar Year 2020: 366 days from January 1, 2020 to December 31, 2020 (Maximum potential CMP of $1,919,173).
Calendar Year 2021: 365 days from January 1, 2021, to December 31, 2021 (Maximum potential CMP of $1,919,173).
Calendar Year 2022: 88 days from January 1, 2022, to March 29, 2022 (Maximum potential CMP of $1,919,173).

IV. No Affirmative Defenses

By its December 8, 2020, LOO, OCR offered Gums Dental the opportunity to provide written evidence of affirmative defenses within thirty (30) days from the date of that letter. Gums Dental responded with a letter only addressing the reason for denying the records and did not submit any affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404.

V. Factors Considered in Determining the Amount of the CMP

In determining the amount of the CMP, OCR considered the following factors in accordance with 45 C.F.R. § 160.408.⁶

1. OCR considered the nature and extent of the harm resulting from the violation. On July 6, 2021, the Complainant spoke with OCR and reported that her husband had attempted to schedule a dental appointment with Gums Dental, but that Dr. Gumbs refused to schedule him for such an appointment due to the Complainant’s pending complaint with OCR. As a result of Complainant’s desire to access her family and her own medical records, her family is now being denied access to dental care. Further, the Complainant is unable to seek insurance reimbursement for the services received from Dr. Gumbs because the records have not been provided.
2. OCR considered the nature and extent of the violation. Gums Dental failed to comply with the Complainant’s multiple requests for access to her and her children’s medical records, failed to remedy the potential violation when it was brought to Gums Dental’s attention with the initial technical assistance letter sent on May 7, 2019, and during OCR’s subsequent investigation through data requests sent on September 5, 2019 and November 7, 2019, and the violation is now over two years old, as Gums Dental still has not provided the requested records or provided any evidence of implementing corrective actions to prevent this type of violation from occurring in the future.
3. OCR considered Gums Dental’s history of compliance. Gums Dental previously ignored OCR’s May 7, 2019 technical assistance letter attempting to remediate the complaint allegations, as well as both data requests sent on September 5, 2019 and November 7, 2019. OCR has not received any other complaints against, or breaches reported by, Gums Dental.
4. OCR considered Gums Dental’s financial condition. OCR is cognizant of Gums Dental’s status as a sole dental provider; however, Gums Dental’s failure to cooperate with OCR’s investigation has prevented OCR from having specific knowledge of Gums Dental’s financial condition.
5. By its LOO, OCR offered Gums Dental the opportunity to provide written evidence of mitigating factors within thirty (30) days from the date of that letter. Gums Dental failed to provide a response containing mitigating factors for OCR’s consideration.

By failing to provide the Complainant with her and her minor children’s records, the violation indicated above—right of access—is considered to be an ongoing violation until the date cured.

For violations of 45 C.F.R. § 164.524(b)(2) that occurred during the period from August 26, 2019, to March 29, 2022, OCR proposes that the daily penalty amount of $63,973 per day be applied for these violations that were due to willful neglect under 45 C.F.R. § 160.404(b)(2)(iv)(A).

While Gums Dental has provided no evidence in response to OCR’s requests, through public information OCR has learned that Gums Dental is a solo practitioner dental provider that serves an urban and suburban community. The imposition of the maximum CMP would likely impact the ability of Gums Dental to provide dental care to its service area. Additionally, given the potential impact of the COVID-19 public health emergency on Gums Dental, OCR is using the discretion contemplated by 45 C.F.R. § 160.408(d) and (e), to impose a reduced CMP of $70,000.

VI. Waiver

OCR has determined that there is no basis for waiver of the proposed CMP amount as set forth at 45 C.F.R. § 160.412.

VII. Amount of CMP

1. Amount of CMP Per Violation

   Based on the above factors, OCR finds that Gums Dental is liable with respect to the violation described in Section III:

   Timely Action by Covered Entity – 45 C.F.R. § 164.524(b)(2): The CMP is $7,676,692 (see attached chart – Appendix A). This CMP amount is based on 45 C.F.R. § 160.404(b)(2)(iv) [Willful Neglect not corrected in 30 days].

2. Total Amount of CMP

   The total CMP amount that could be imposed on Gums Dental with regard to the violation described is $7,676,692 (See attached chart – Appendix A.) However, based on OCR’s evaluation of the factors listed in 45 C.F.R. § 160.408, OCR has determined that a CMP of $70,000 is warranted in this matter.

VIII. Right to a Hearing

Gums Dental has the right to a hearing before an administrative law judge to challenge these proposed CMP. To request a hearing to challenge these proposed CMP, Gums Dental must mail a request, via certified mail with return receipt request, under the procedures set forth at 45 C.F.R. Part 160 within 90 days of your receipt of this letter. Such a request must: (1) clearly and directly admit, deny, or explain each of the findings of fact contained in this notice; and (2) state the circumstances or arguments that you allege constitute the grounds for any defense, and the factual and legal basis for opposing the proposed CMP. See 45 C.F.R. § 160.504(c). If you wish to request a hearing, you must submit your request to:

Department of Health & Human Services
Departmental Appeals Board, MS 6132
Civil Remedies Division
330 Independence Ave, SW
Cohen Building, Room G-644
Washington, D.C. 20201
Telephone: (202) 565-9462

Copy to:
Serena Mosley-Day, Senior Advisor
Office for Civil Rights
200 Independence Avenue, SW,
Suite 523E
Hubert H. Humphrey Building
Washington, D.C. 20201
Telephone: (404) 562-7864

A failure to request a hearing within 90 days permits the imposition of the proposed CMP without a right to a hearing under 45 C.F.R. § 160.504 or a right of appeal under 45 C.F.R. § 160.548. If you choose not to contest this proposed CMP, you should submit a written statement accepting its imposition within 90 days of receipt of this notice.

If Gums Dental does not request a hearing within 90 days, then OCR will notify Gums Dental of the imposition of the CMP through a separate letter, including instructions on how to make payment, and the CMP will become final upon receipt of such notice.

If you have any questions, you may contact Jamie Rahn Ballay, Regional Manager, at (215)861- 4432 or Jamie.Rahn@hhs.gov.

Sincerely,

/s/
Jamie Rahn Ballay
Regional Manager

Enclosure – Appendix A (CMP Penalty Chart)

Endnotes

¹ For violations occurring on or after November 3, 2015, HHS may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015. The annual inflation amounts are found at 45 C.F.R. §102.3.

² See Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Sec. 701 of Public Law 114-74.

³ 45 C.F.R. § 160.104

⁴ 45 C.F.R §164.501 – Designated record set means: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

⁵ See Reviewable Grounds for Denial, 45 CFR 164.524(a)(3).

⁶ “Factors considered in determining the amount of a civil money penalty. In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate: (a) The nature and extent of the violation; (b) The nature and extent of the harm resulting from the violation; (c) The history of prior compliance with the administrative simplification provisions; (d) The financial condition of the covered entity; and (e) Such other matters as justice may require.” 42 C.F.R. § 160.408.