South Broward Hospital District d/b/a Memorial Healthcare System Notice of Proposed Determination

U.S. Department of Health and Human Services
Office for Civil Rights
New England Region 
Government Center 
JFK Federal Building, Room 1875
Boston, MA 02203
Voice - (800) 368-1019
TDD - (800) 537-7697
Fax - (617) 565-3809
http://www.hhs.gov/ocr

VIA PERSONAL SERVICE, CERTIFIED MAIL RETURN RECEIPT REQUESTED, and EMAIL TO frainer@mhs.net

July 17, 2024

Frank Rainer, Senior Vice President and General Counsel
South Broward Hospital District d/b/a Memorial Healthcare System
311 Stirling Road
Hollywood, FL 33312

Re: Memorial Healthcare System
OCR Transaction Number: 21-431555

NOTICE OF PROPOSED DETERMINATION

Dear Mr. Rainer:

Pursuant to the authority delegated by the Secretary of the U.S. Department of Health and Human Services (HHS) to the Office for Civil Rights (OCR), I am writing to inform you that OCR is proposing to impose a civil money penalty (CMP) of $100,000 against South Broward Hospital District d/b/a Memorial Healthcare System.

This proposed action is being taken under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 262(a), Public Law 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, Section 13410, codified at 42 United States Code (U.S.C.) § 1320d-5, and under 45 C.F.R. Part 160, Subpart D.

I. The Statutory Basis for the Proposed CMP

The Secretary of HHS is authorized to impose a CMP (subject to the limitations set forth at 42 U.S.C. § 1320d-5(b)) against any covered entity, as described at 42 U.S.C. § 1320d-1(a), that violates a provision of Part C (Administrative Simplification) of Title XI of the Social Security Act. See HIPAA, § 262(a), as amended, 42 U.S.C. § 1320d-5(a). This authority includes imposing CMPs for violations of the applicable provisions of the Federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Notification Rule (45 C.F.R. Parts 160 and 164, Subpart D). The Secretary has delegated enforcement responsibility for the HIPAA Rules to the Director of OCR. See 65 Federal Register (Fed. Reg.) 82381 (Dec. 28, 2000) and 74 Fed. Reg. 38630 (July 27, 2009). OCR is authorized under the HITECH Act § 13410, 42 U.S.C. § 1320d-5(a)(3),¹ to impose CMPs for violations occurring on or after February 18, 2009, of:

• A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
• A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
• A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
• A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.² The adjusted amounts are applicable only to CMPs whose violations occurred after November 2, 2015.

OCR is precluded from imposing a CMP unless the action is commenced within six years from the date of the violation.³

II. Findings of Fact

1. South Broward Hospital District d/b/a Memorial Healthcare System (MHS) is a public health care system in Florida, and includes six (6) hospitals, more than 300 employed physicians within the Memorial Physician Group, as well as a nursing home, research, urgent care centers and Memorial Primary Care. MHS also operates a health care plan for its employees. Memorial Neuroscience Institute is a department within Memorial Healthcare System and is a division of Memorial Physician Group.
2. MHS is a “covered entity” within the meaning of 45 C.F.R. § 160.103, and, as such, is required to comply with the requirements of the Privacy, Security, and Breach Notification Rules.
3. MHS is a health care provider that transmits health information in electronic form in connection with transactions for which the U.S Department of Health and Human Services has adopted standards.
4. MHS creates, maintains, receives, and transmits protected health information (PHI) related to patients who receive health care services from MHS.
5. Under the HIPAA Privacy Rule, an individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record set⁴ for as long as the PHI is maintained by a covered entity in the designated record set.⁵
6. On March 3, 2020, the complainant had an electroencephalogram (EEG) performed at the Memorial Neuroscience Institute.
7. On the evening of December 30, 2020, the complainant sent a message via the MyChart Patient Portal to his provider, asking for a copy of his EEG tracings on a CD (“December access request”).
8. On December 31, 2020, the complainant received a response from his provider acknowledging receipt of the December access request.
9. MHS did not provide access to the EEG tracings in response to the December access request.
10. On April 25, 2021, the complainant sent a message to his provider through the MyChart Patient Portal, again requesting the EEG tracings.
11. On April 26, 2021, the complainant sent another access request to his provider through the MyChart Patient Portal informing the provider that he mailed a letter to his provider requesting the EEG tracings. Specifically, the letter states: “This is a medical records request, in writing, by the patient himself, requesting a copy of his EEG…”
12. MHS did not respond to any of the complainant’s April 2021 requests.
13. On May 23, 2021, the complainant sent another message through the MyChart Patient Portal stating it was a reminder to provide a copy of the EEG tracings by May 29, 2021, and again received no response.
14. On May 30, 2021, the complainant filed the first of two complaints with OCR alleging that MHS did not provide him with a copy of the EEG tracings in response to his requests for access.
15. OCR closed this complaint without investigation.
16. On June 23, 2021, the complainant filed a second complaint with OCR alleging that MHS did not provide him with a copy of his PHI, specifically his EEG tracings, in response to his access requests.
17. OCR notified MHS in writing of its intent to investigate the matter and issued a data request on September 22, 2021. OCR requested data including a copy of MHS’s HIPAA policies and procedures regarding access to PHI.
18. A covered entity must act on a request for access no later than 30 days after receipt of the request.⁶
19. A covered entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to take required action, it may extend the time frame for responding by an additional 30 days by sending the requestor a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request.⁷
20. MHS has not asserted or provided evidence that it completed the requirements for extending the time frame for responding to the complainant’s December 2020 request.⁸
21. The Privacy Rule required MHS to act on the complainant’s December 30, 2020, request for access to his records within 30 days of the request, that is, on or before January 29, 2021.
22. On September 29, 2021, following OCR’s September 22, 2021, notice letter, MHS sent the requested records to the complainant, 273 days after his December 30, 2020, request for access to his records.
23. OCR’s investigation determined that MHS had not provided the complainant with his requested medical records in a timely manner as required by 45 C.F.R. §164.524(b)(2).  Specifically, while the complainant made multiple, valid, written requests beginning on December 30, 2020, MHS did not respond to his requests until it sent the complainant the requested records on September 29, 2021 (273 days later).
24. On June 14, 2022, OCR notified MHS of the results of OCR’s investigation, specifically, that OCR identified a potential violation of the HIPAA right of access provision at 45 C.F.R. § 164.524(b). OCR offered MHS an opportunity to resolve the matter informally.
25. OCR was unable to resolve the matter by informal means.
26. On November 10, 2022, OCR issued a Letter of Opportunity (LOO) to MHS, pursuant to 45 C.F.R. § 160.312(a)(3), which informed MHS that OCR’s investigation found preliminary indications of noncompliance with the Privacy Rule, specifically 45 C.F.R. § 164.524(b), which states that a covered entity must act on a request by an individual for access to inspect or to obtain a copy of the PHI no later than 30 days after receipt of the request. The LOO stated that pursuant to 45 C.F.R. § 160.312(a)(3), OCR was informing MHS of the preliminary indications of noncompliance and providing MHS with an opportunity to submit written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404. The letter stated that MHS could also submit written evidence to support a waiver of a CMP for the indicated areas of noncompliance pursuant to 45 C.F.R. § 160.412.
27. MHS responded to the LOO by email dated December 8, 2022.
28. On March 1, 2024, OCR obtained the authorization of the Attorney General of the United States to issue this Notice of Proposed Determination to impose a CMP.

III. Basis for and Amount of CMP

Based on the above findings of fact, OCR has determined that MHS is liable for the following violation of the HIPAA Privacy Rule and, therefore, subject to a CMP. OCR calculated the CMP at the reasonable cause not corrected penalty tier under 45 C.F.R. § 160.404(b)(2)(ii)(A), as follows:

From January 30, 2021, to September 28, 2021 at $1,379 per day (242 days x $1,379.00)

Total CMP: $333,718, capped at $100,000

IV. No Affirmative Defenses

By its November 10, 2022, LOO, OCR offered MHS the opportunity to provide written evidence of affirmative defenses per 45 C.F.R. § 160.410. MHS responded by letter dated December 8, 2022.

OCR determined that the information contained in MHS’s response did not provide a basis for an affirmative defense under 45 C.F.R. § 160.410.

V. Factors Considered in Determining the Amount of the CMP

In its December 8, 2022, letter to OCR responding to the LOO, MHS generally asserted that the factors set forth in 45 C.F.R. § 160.408 counsel against any significant CMP in this matter. Based on the information gathered during the investigation and MHS’s response to the LOO, in determining the amount of the CMP, OCR has considered the following factors pursuant to 45 C.F.R. § 160.408, as follows:

1. 45 C.F.R. § 160.408(a) The nature and extent of the violation.

   MHS asserted that the violation at issue relates to only a single individual’s request for records and that it timely provided access to the Complainant in response to OCR’s notice letter.

   The very nature of an individual right under the Privacy Rule is that it protects the rights of an individual. Although the violation in this matter affected only one individual, OCR’s investigation determined that MHS was in violation for 242 days. MHS failed to provide timely access to the complainant’s medical record, despite the complainant’s multiple follow up communications, until September 29, 2021, many months after the date of the access request and only after OCR opened its investigation into this matter.

   As such, OCR finds this is neither a mitigating or aggravating factor.

2. 45 C.F.R. § 160.408(b) The nature and extent of the harm resulting from the violation.

   OCR does not have evidence that this violation resulted in physical, financial, or reputational harm or hindered the Complainant’s ability to obtain healthcare. However, the fact that there is no indication of such harm cannot be attributed to any actions taken by MHS such that would justify mitigating the CMP.

   As such, OCR finds this is neither a mitigating nor aggravating factor.

3. 45 C.F.R. § 160.408(c) The history of prior compliance with the administrative simplification provisions, including violations.

   OCR notes that MHS agreed to a Resolution Agreement and Corrective Action Plan in 2017, following OCR’s investigation which indicated noncompliance with the HIPAA Security Rule. OCR has not previously investigated MHS for compliance with the Privacy Rule’s Right of Access requirement. Although OCR has not made findings or received a response to technical assistance regarding the individual right of access prior to this matter, this does not demonstrate compliance with requirements of the HIPAA Rules.

   As such, OCR finds this is neither a mitigating nor aggravating factor.

4. 45 C.F.R. § 160.408(d) The financial condition of the covered entity.

   MHS provided its 2020 tax filing information, 2021 financial report, and balance sheet in response to OCR’s investigation. The evidence obtained by OCR shows that MHS has financial resources available to maintain compliance (e.g., regularly review and update policies and procedures for consistency, and to train staff). MHS has not asserted that it has experienced any financial difficulties that affected its ability to comply with its HIPAA obligations. Furthermore, there is no indication that the imposition of the proposed CMP will jeopardize MHS’s provision of healthcare services. MHS did not claim that its financial condition justified mitigation of a CMP.

   As such, OCR applies this factor as neither mitigating nor aggravating.

5. 45 C.F.R. § 160.408(e) Such other matters as justice may require.

   OCR found no other factors that would affect the amount of the proposed CMP. OCR considers this factor to be neither mitigating nor aggravating.

Based on the above analysis, OCR has not identified any mitigating or aggravating factors that merit alteration of the proposed CMP of $100,000, as detailed in Section III above and Section VII below.

VI. Waiver

By its November 10, 2022, LOO, OCR offered MHS the opportunity to provide written evidence supporting waiver of the proposed CMP amount. MHS responded by email transmitted December 8, 2022. OCR determined that the information contained in MHS’s response did not provide a basis for waiver, or partial waiver, of the proposed CMP amount pursuant to 45 C.F.R. § 160.412 because payment of the penalty is not excessive relative to the violation.

VII. Amount of CMP

1. Amount of CMP Per Violation

   OCR finds that MHS is liable for a CMP for violating the following requirement of the Privacy Rule:

   Timely Action by the Covered Entity – 45 C.F.R. § 164.524(b). The CMP amount is based on 45 C.F.R. § 160.404(b)(2)(ii)(A) [Reasonable Cause].

2. Total Amount of CMP

   The total CMP amount to be imposed on MHS with regard to the violation described is $100,000.

VIII. Right to a Hearing

MHS has the right to a hearing before an administrative law judge to challenge the proposed CMP. To request a hearing to challenge the proposed CMP, MHS must mail a request, via certified mail with return receipt requested, under the procedures set forth at 45 C.F.R. Part 160 within 90 days of your receipt of this letter. Such a request must: (1) clearly and directly admit, deny, or explain each of the findings of fact contained in this notice; and (2) state the circumstances or arguments that you allege constitute the grounds for any defense, and the factual and legal basis for opposing the proposed CMP. See 45 C.F.R. § 160.504(c). If you wish to request a hearing, you must submit your request to:

U.S. Department of Health & Human Services
Departmental Appeals Board, MS 6132
Civil Remedies Division
330 Independence Ave, SW
Cohen Building, Room G-644
Washington, D.C.  20201
Telephone: (202) 565-9462

Copy to:
Emily Crabbe, Senior Advisor for HIPDC Compliance and Enforcement
Office for Civil Rights
U. S. Department of Health and Human Services
200 Independence Avenue, SW
Room 509F, HHH Building
Washington, D.C. 20201 
Telephone: (404) 562-7878
Email: emily.crabbe@hhs.gov

A failure to request a hearing within 90 days permits the imposition of the proposed CMP without a right to a hearing under 45 C.F.R. § 160.504 or a right of appeal under 45 C.F.R. § 160.548. If you choose not to contest this proposed CMP, you should submit a written statement accepting its imposition within 90 days of receipt of this notice.

If MHS does not request a hearing within 90 days, then OCR will notify MHS of the imposition of the CMP through a separate letter, including instructions on how to make payment, and the CMP will become final upon receipt of such notice.

If you have questions, you may contact Emily Crabbe, Senior Advisor for HIPDC, at (404) 562-7878 or via email at Emily.Crabbe@hhs.gov.

Sincerely yours,
/s/
Susan M. Pezzullo Rhodes
Regional Manager

CC: Stephen H. Siegel, Associate General Counsel
Pascale Prepetit, Corporate Director of Privacy

Endnotes

¹ The CMPs reflect the penalty tiers described in HHS’ Notification of Enforcement Discretion.  See 84 Fed. Reg. 18151 (Apr. 30, 2019).

² For violations occurring on or after November 3, 2015, HHS is required to make annual adjustments to the CMP amounts. See Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Sec. 701 of Pub. Law 114-74.  Current inflation amounts are available at 45 C.F.R. § 102.3.

³ See 42 U.S.C. § 1320a-7a(c)(1); 45 C.F.R. § 160.414.

⁴ Designated record set means: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. 45 C.F.R § 164.501.

⁵ 45 C.F.R. § 164.524(a).

⁶ 45 C.F.R. § 164.524(b)(2)(i).

⁷ 45 C.F.R. § 164.524(b)(2).

⁸ 45 C.F.R. §§ 164.524(b)(2)(ii)(A) and (B).