Rio Hondo Community Mental Health Center Notice of Proposed Determination

U.S. Department of Health and Human Services 
Office for Civil Rights 
Headquarters ● Humphrey Building 
200 Independence Ave., S.W. 
Washington, D.C. 20201 
Voice: (800) 368-1019 
TDD: (800) 537-7697 
Fax: (202) 619-3818

Via Certified Mail (Return Receipt Requested), Email and Personal Service

July 16, 2024

Julia Chen, HIPAA Compliance Officer 
Office of Privacy 
County of Los Angeles, Chief Executive Office, Risk Management Branch 
Hall of Records 
320 West Temple Street, 7^th Floor 
Los Angeles, CA 90012 
jchen@ceo.lacounty.gov 

Re:       Rio Hondo Community Mental Health Center

            OCR Transaction Number: 20-392923

NOTICE OF PROPOSED DETERMINATION

Dear Ms. Chen:

Pursuant to the authority delegated by the Secretary of the United States Department of Health and Human Services (HHS) to the Office for Civil Rights (OCR), we are writing to inform you that OCR is proposing to impose a civil money penalty (CMP) of $100,000 against Rio Hondo Community Mental Health Center, which is a directly operated Outpatient Program of the County of Los Angeles Department of Mental Health.

This proposed action is being taken under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 262(a), Pub.L. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, Section 13410, codified at 42 U.S.C. § 1320d-5, and under 45 C.F.R. Part 160, Subpart D.

I. The Statutory Basis for the Proposed CMP

The Secretary of HHS is authorized to impose CMPs (subject to the limitations set forth at 42 U.S.C. § 1320d-5(b)) against any covered entity, as described at 42 U.S.C. § 1320d-1(a), that violates a provision of Part C (Administrative Simplification) of Title XI of the Social Security Act.  See HIPAA, § 262(a), as amended, 42 U.S.C. § 1320d-5(a).  This authority includes violations of the applicable provisions of the Federal Standards for Privacy of Individually Identifiable Health Information and/or the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules) and the Breach Notification Rule (45 C.F.R. Parts 160 and 164, Subpart D), pursuant to Section 264(c) of HIPAA.  The Secretary has delegated enforcement responsibility for the HIPAA Rules to the Director of OCR.  See 65 Fed. Reg. 82,381 (Dec. 28, 2000) and 74 Fed. Reg. 38630 (July 27, 2009).  OCR is authorized under the HITECH Act § 13410, 42 U.S.C. § 1320d-5(a)(3),¹ to impose CMPs for violations occurring on or after February 18, 2009,² of:

• A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
• A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
• A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
• A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1500,000.
• As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.³ The adjusted amounts are applicable only to CMPs whose violations occurred after November 2, 2015. 

II. Findings of Fact

1. Rio Hondo Community Mental Health Center (“Rio Hondo”) is a directly operated Outpatient Program of the County of Los Angeles Department of Mental Health, established in 1994. The clinic provides mental health services and welfare-to-work support services for adults with mental/emotional disturbance in Southeast Los Angeles.
2. Rio Hondo is a “covered entity” within the meaning of 45 C.F.R. §160.103, and, as such, is required to comply with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules.
3. Rio Hondo is a health care provider that transmits health information in electronic form in connection with transactions for which the U.S Department of Health and Human Services has adopted standards.
4. Rio Hondo creates, maintains, receives, and transmits protected health information (PHI) related to patients who receive health care services from Rio Hondo.
5. The County of Los Angeles Department of Mental Health (LACDMH) operates Rio Hondo as an outpatient program. LACDMH described that it is a “hybrid entity” within the definition set forth at 45 C.F.R. § 164.103 (see also 45 C.F.R. § 164.105) and that Rio Hondo is a covered component in its hybrid structure. As such, Rio Hondo is required to comply with the requirements of the Privacy, Security and Breach Notification Rules.
6. Under the HIPAA Privacy Rule, an individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record set⁴ for as long as the PHI is maintained by a covered entity in the designated record set.⁵
7. The Complainant in this case visited Rio Hondo on March 18, 2020, and completed Rio Hondo’s paper medical records request form. The form, as completed by the Complainant, is a valid and lawful request for access to PHI under the Privacy Rule at 45 C.F.R. §164.524. It provided all of the necessary information for Rio Hondo to fulfill the request in a timely manner, such as the Complainant’s name, the records requested, the address where the records were requested to be sent to, as well as the date range for the records requested. The form was also dated and signed by the Complainant and noted that her identity was verified through her state-issued driver’s license.
8. Rio Hondo admits to receiving this request for medical records on March 18, 2020. Rio Hondo does not contest that the form submitted by the Complainant was a valid request for records per the HIPAA Privacy Rule at 45 C.F.R. §164.524.
9. On or about March 19, 2020, California Governor Gavin Newsom issued a “stay-at-home” order “to protect the health and well-being of all Californians and to establish consistency across the state in order to slow the spread of COVID-19.”⁶ As such, staff at Rio Hondo were not physically working at the facility.
10. In May 2020, some Rio Hondo staff members began returning to the facility.
11. On May 22, 2020, Rio Hondo notified the Complainant by telephone that her records would be ready for her to pick up on May 27, 2020.
12. On May 27, 2020, the Complainant visited the clinic to retrieve her records, but after waiting for twenty minutes, the Complainant provided her contact information to a staff member and asked to be notified when her medical records were in fact ready. The Complainant then left the clinic without the requested records. The Intermediate Typist Clerk (ITC) assigned to respond to medical record requests at the time stated during OCR’s investigation that she was alerted when the Complainant arrived but the ITC delayed meeting with the Complainant to consult with multiple colleagues about how to process the Complainant’s request.
13. Rio Hondo admits, "[The ITC] stated that she attempted to contact the complainant after discovering that she had left the clinic but did not make further attempts to reach the complainant, or to alert her supervisor or the Program Manager of the complainant's request. There is also no documentation that supports [staff members] followed up with the complaint's [sic] request.”
14. On July 17, 2020, the Complainant called Rio Hondo by phone several times to inquire on the status of her right of access to medical records requests. Her call was transferred to the medical records department, but no one answered. The ITC acknowledges this contact, as she was notified by email of the Complainant’s calls but could not recall if she or any other staff member returned the Complainant’s call.
15. The Complainant alleges that she contacted Rio Hondo by phone again several times throughout August 2020. She was able to speak with a staff member about her requests but did not receive any follow up to fulfill her request and did not receive her requested records.
16. The Complainant filed this complaint with OCR on August 21, 2020, alleging that Rio Hondo has not responded to her written request for medical records made in March 2020.
17. On October 7, 2020, OCR notified Rio Hondo of this investigation concerning the failure to take timely action in response to the Complainant’s right of access request. Rio Hondo responded by leaving voicemails with the Complainant on October 7, 8 and 16, 2020. On October 19, 2020, Rio Hondo sent a letter of apology to the Complainant acknowledging its delay in processing her medical records request and stating that a copy of her medical records would be sent to her via certified mail.
18. On October 20, 2020, Rio Hondo sent the Complainant copies of her requested records via certified mail to fulfill her March 2020 right of access request.
19. The Privacy Rule states that an individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated records set,⁷ for as long as the PHI is maintained in the designated record set. 45 C.F.R. §164.524(a). 
20. A covered entity must act on a request for access no later than 30 days after receipt of the request. 45 C.F.R. §164.524(b)(2). 
21. The Privacy Rule required Rio Hondo to act on the Complainant’s request no later than 30 days after receipt of the request.
22. A covered entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to take an action required within the prescribed timeframe, it may extend the timeframe for responding by no more than 30 days, provided that the covered entity provides the requestor with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request. The covered entity may have only one such extension of time for action on a request for access. 45 C.F.R. § 164.524(b)(2).
23. OCR’s investigation determined that Rio Hondo had not provided the Complainant with her requested medical records in a timely manner pursuant to 45 C.F.R. §164.524(b)(2). Specifically, while the Complainant made a valid, written request on March 18, 2020, and followed up multiple times, Rio Hondo did not respond to her request until it sent the Complainant the requested records on October 20, 2020 (216 days later).
24. By letter dated August 31, 2022, OCR informed Rio Hondo of the results of its investigation, specifically, that Rio Hondo had failed to provide Complainant with timely access to their requested PHI. This letter offered Rio Hondo an opportunity to settle this matter informally.
25. On February 3, 2023, OCR issued a Letter of Opportunity (LOO) which again informed Rio Hondo that OCR’s investigation indicated that Rio Hondo failed to comply with the HIPAA Privacy Rule and that this matter had not been resolved by informal means despite OCR’s attempts to do so. The letter stated that pursuant to 45 C.F.R. § 160.312(a)(3), OCR was informing Rio Hondo of the preliminary indications of non-compliance and providing Rio Hondo with an opportunity to submit written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404.  The letter stated that Rio Hondo could also submit written evidence to support a waiver of a CMP for the indicated area of non-compliance pursuant to 45 C.F.R. § 160.412.  The act of noncompliance under the Privacy Rule was described in the LOO.
26. Rio Hondo submitted a response to the LOO on February 16, 2023. OCR has determined that the information and arguments submitted by Rio Hondo do not support an affirmative defense pursuant to 45 C.F.R. 160.410.  See Section IV below.  OCR considered Rio Hondo’s response in light of any applicable factors pursuant to 45 C.F.R. § 160.408 in determining the amount of the CMP indicated below. See Section V below.  OCR has determined that the information and arguments submitted by Rio Hondo do not support a waiver of the CMP pursuant to 45 C.F.R. § 160.412. See Section VI below.
27. Pursuant to 42 USC §§ 1320d-5 and 1320a-7a, OCR obtained the authorization of the Attorney General of the United States prior to issuing this Notice of Proposed Determination to impose a CMP.

III. Basis for and Amount of CMP

Based on the above findings of fact, we have determined that Rio Hondo is liable for the following violations of the HIPAA Privacy Rule and, therefore, is subject to a CMP.

1. Rio Hondo did not take timely action in response to the Complainant's multiple right of access request in violation of 45 C.F.R. §164.524(b)(2). The first request was made in writing on March 18, 2020.  Rio Hondo sent the Complainant the requested records on October 20, 2020. 
2. OCR has determined that the appropriate penalty tier for this violation is Reasonable Cause. 45 C.F.R. §160.404(b)(2)(ii)
3. OCR’s calculations for this proposed violation are as follows:

May 17, 2020 (sixty days after the March 18th request) through October 20, 2020 (date Rio Hondo sent records) = 156 days x $1,379 = $215,124, capped at $100,000

Maximum CMP: $100,000

IV. No Affirmative Defenses

By its February 3, 2023, Letter of Opportunity, OCR offered Rio Hondo the opportunity to provide written evidence of affirmative defenses.  As noted above, Rio Hondo submitted its response to OCR by letter dated February 16, 2023. 

In its response to OCR’s LOO, Rio Hondo did not specifically raise any valid affirmative defenses, but asserted the following:

1. Rio Hondo received the Complainant’s written request for records on March 18, 2020, at the onset of the COVID-19 pandemic, just as the mandated statewide "Safer at Home" order went into effect. The action caused all operations to come to an unexpected and immediate halt in order to protect the health and safety of California's population.
2. The "Safer at Home" order generated unforeseeable changes in Rio Hondo’s infrastructure; all County buildings were closed to the public, most employees were working from home or deployed to conduct disaster response efforts in the field, and there were little to no staff working in the clinics for a considerable period.
3. Upon limited staff returning to the clinic in May 2020, the Complainant’s request was processed, and the Complainant was notified when the record was available to receive.
4. Rio Hondo made attempts after May 27, 2020, to inform the Complainant the records were ready, but the Complainant did not respond. Rio Hondo mailed the records via certified mail on October 20, 2020.
5. As the result of the complaint, Rio Hondo has implemented new protocols to ensure the same or similar situations will not occur in the future.

Upon review, OCR finds that none of the above assertions constitute an affirmative defense as set forth at 45 C.F.R. § 160.410.  Accordingly, OCR has considered all of the evidence provided by Rio Hondo during the course of the investigation and in response to the LOO and has determined there are no applicable affirmative defenses.

V. Factors Considered in Determining the Amount of the CMP

By its February 3, 2023, Letter of Opportunity, OCR offered Rio Hondo the opportunity to submit written evidence of any mitigating factors to apply to the CMP as delineated under 45 C.F.R. §160.408. 

In its response to OCR’s LOO dated February 16, 2023, Rio Hondo did not specifically raise any mitigating factors under 45 C.F.R. §160.408, but asserted the following:

1. Rio Hondo received the Complainant’s written request for records on March 18, 2020, at the onset of the COVID-19 pandemic, just as the mandated statewide "Safer at Home" order went into effect. The action caused all operations to come to an unexpected and immediate halt in order to protect the health and safety of California's population.
2. The "Safer at Home" order generated unforeseeable changes in Rio Hondo’s infrastructure; all County buildings were closed to the public, most employees were working from home or deployed to conduct disaster response efforts in the field, and there were little to no staff working in the clinics for a considerable period.
3. Upon limited staff returning to the clinic in May 2020, the Complainant’s request was processed, and the Complainant was notified when the record was available to receive.
4. Rio Hondo made attempts after May 27, 2020, to inform the Complainant the records were ready, but the Complainant did not respond. Rio Hondo mailed the records via certified mail on October 20, 2020.
5. As the result of the complaint, Rio Hondo has implemented new protocols to ensure the same or similar situations will not occur in the future.

Based on the information gathered during the investigation and Rio Hondo’s response to the LOO, in determining the amount of the CMP, OCR has considered mitigating or aggravating factors pursuant to 45 C.F.R. § 160.408, as follows:

1. 45 C.F.R. § 160.408(a) The nature and extent of the violation.

The very nature of an individual right under the Privacy Rule is that it protects the rights of an individual. While only one individual was affected by the violation, Rio Hondo was in violation of the Privacy Rule for a lengthy duration of time, 156 days. The Complainant had substantial difficulties in getting access to her requested records. She made an in-person written request, traveled to the facility to retrieve records that were not in fact provided, made multiple follow-up phone calls that still did not resolve her request, and ultimately filed a complaint with OCR. As such, OCR finds this factor should not be applied to mitigate or aggravate the CMP.

2. 45 C.F.R. § 160.408(b) The nature and extent of the harm resulting from the violation. 

OCR does not have evidence that this violation resulted in physical, financial, or reputational harm or hindered the Complainant’s ability to obtain healthcare. However, the fact that there is no indication of such harm cannot be attributed to any actions taken by Rio Hondo such that would justify mitigating the CMP.

As such, OCR finds this factor should not be applied to mitigate or aggravate the CMP.

3. 45 C.F.R. § 160.408(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity. 

Based on a review of OCR’s history with this covered entity, there have been no investigations of Rio Hondo in the recent past and none that involve the same or similar noncompliance at issue in this matter.  As such, OCR has not had the opportunity in the recent past to assess whether and to what extent Rio Hondo has attempted to correct previous indications of noncompliance, how Rio Hondo has responded to prior complaints, or to technical assistance from OCR.

However, a lack of breaches reported to OCR or complaints filed against Rio Hondo is not evidence of Rio Hondo’s compliance with the HIPAA Rules. This is demonstrated by the findings of this investigation, which revealed significant noncompliance with the Privacy Rule’s Right of Access requirements.

As such, OCR finds this factor should not be applied to mitigate or aggravate the CMP.

4. 45 C.F.R. § 160.408(d) The financial condition of the covered entity.

In its response to the LOO, Rio Hondo did not assert that it experienced financial difficulties that would affect its ability to comply with the requirements of HIPAA, such as costs associated with a HIPAA compliance program that would include workforce training, implementation of policies and procedures, minimum safeguards, etc. Further, OCR has no evidence that payment of the CMP would jeopardize Rio Hondo’s ability to continue to provide health care services to its community.

As such, OCR finds this factor should not be applied to mitigate or aggravate the CMP.

5. 45 C.F.R. § 160.408(e) Such other matters as justice may require.

OCR has not identified other matters that justice may require in its consideration of aggravating or mitigating factors.    

As such, OCR finds this factor should not be applied to mitigate or aggravate the CMP.

VI. Waiver

By its February 3, 2023, Letter of Opportunity, OCR offered Rio Hondo the opportunity to submit written evidence to support a waiver of a CMP consistent with 45 C.F.R. § 160.412:

“For violations described in § 160.410(b)(2) or (c) that are not corrected within the period specified under such paragraphs, the Secretary may waive the CMP, in whole or in part, to the extent that the payment of the penalty would be excessive relative to the violation.”

In its response to OCR’s LOO dated February 16, 2023, Rio Hondo stated,

“Although [Rio Hondo] has accepted the formal resolution, and in consideration of a waiver of the CMP, we do not believe the proposed $100,000 penalty is warranted for the following reasons:”

1. Rio Hondo received the Complainant’s written request for records on March 18, 2020, at the onset of the COVID-19 pandemic, just as the mandated statewide "Safer at Home" order went into effect. The action caused all operations to come to an unexpected and immediate halt in order to protect the health and safety of California's population.
2. The "Safer at Home" order generated unforeseeable changes in Rio Hondo’s infrastructure; all County buildings were closed to the public, most employees were working from home or deployed to conduct disaster response efforts in the field, and there were little to no staff working in the clinics for a considerable period.
3. Upon limited staff returning to the clinic in May 2020, the Complainant’s request was processed, and the Complainant was notified when the record was available to receive.
4. Rio Hondo made attempts after May 27, 2020, to inform the Complainant the records were ready, but the Complainant did not respond. Rio Hondo mailed the records via certified mail on October 20, 2020.
5. As the result of the complaint, Rio Hondo has implemented new protocols to ensure the same or similar situations will not occur in the future.

OCR has determined that there is no basis for waiver of the proposed CMP amount as set forth at 45 C.F.R. § 160.412.  In its response to the LOO, Rio Hondo presented no evidence that the payment of the CMP would be excessive relative to the proposed violation.

VII. Right to a Hearing

Rio Hondo has the right to a hearing before an administrative law judge to challenge the proposed CMP.  To request a hearing, representatives of Rio Hondo must mail a request, via certified mail with return receipt request, under the procedures set forth at 45 C.F.R. Part 160 within 90 days of receipt of this letter.  Such a request must: (1) clearly and directly admit, deny, or explain each of the findings of fact contained in this notice; and (2) state the circumstances or arguments that Rio Hondo allege constitute the grounds for any defense, and the factual and legal basis for opposing the proposed CMP.  See 45 C.F.R. § 160.504(c).  If Rio Hondo wishes to request a hearing, you must submit your request to:

U.S. Department of Health & Human Services
Departmental Appeals Board, MS 6132
Civil Remedies Division
330 Independence Ave, SW
Cohen Building, Room G-644
Washington, D.C.  20201
Telephone: (202) 565-9462

Copy to:
Emily Crabbe, Senior Advisor for HIPDC Compliance and Enforcement
Office for Civil Rights
U.S. Department of Health and Human Services 
Hubert H. Humphrey Building
200 Independence Avenue, SW, Suite 523E, Room 509F
Washington, D.C. 20201
Telephone: (404) 562-7878
Email: emily.crabbe@hhs.gov

A failure to request a hearing within 90 days permits the imposition of the proposed CMP without a right to a hearing under 45 C.F.R. § 160.504 or a right of appeal under 45 C.F.R. § 160.548.  If Rio Hondo chooses not to contest this proposed CMP, Rio Hondo should submit a written statement accepting its imposition within 90 days of receipt of this notice.

If Rio Hondo does not request a hearing within 90 days, then OCR will notify you of the imposition of the CMP through a separate letter, including instructions on how Rio Hondo may make payment, and the CMP will become final upon receipt of such notice.

If you have any questions regarding this matter, please contact me directly at 404-562-7878 or emily.crabbe@hhs.gov.

Sincerely,
/s/
Emily Crabbe, JD
Senior Advisor
Health Information Privacy, Data, and Cybersecurity Compliance and Enforcement

Endnotes

¹ The CMPs reflect the penalty tiers described in the Notification of Enforcement Discretion (April 30, 2019). See https://www.federalregister.gov/documents/2019/04/30/2019-08530/notification-of-enforcement-discretion-regarding-hipaa-civil-money-penalties. 

² For violations occurring on or after November 3, 2015, HHS may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015.  The annual inflation amounts are found at 45 C.F.R. §102.3.

³ See Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Sec. 701 of Public Law 114-74.

⁴ Designated record set means: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. 45 C.F.R §164.501.

⁵ 45 C.F.R. § 164.524(a).

⁶ https://www.gov.ca.gov/2020/03/19/governor-gavin-newsom-issues-stay-at-home-order/

⁷ 45 C.F.R §164.501 – Designated record set means: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.  (2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.