HIPAA enforcement is alive and well and no one is immune in 2022. If you think you don’t need to pay attention to the latest HIPAA rules, you could end up paying big fines. Yesterday, the Office for Civil Rights (OCR) announced four new settlements with smaller and specialty providers.
Two of the settlements arise out of OCR’s HIPAA Right of Access Initiative, bringing the total number of enforcement actions under the Right of Access rules to 27 since the initiative began in 2019.
The OCR director, Lisa J. Pino stated in the announcement:
“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously…”
“OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”
Read Director Pino’s recent blog about the rising numbers of healthcare data breaches, and the importance of making cybersecurity a top priority for healthcare.
HIPAA Right of Access
Sole Practioner Pays $30,000 Fine
Donald Brockley, DDM, agreed to pay $30,000 and take corrective actions to resolve allegations of a HIPAA Right of Access failure. The dentist, based in Butler, Pennsylvania, allegedly failed to provide a patient with a copy of their medical record.
According to the settlement HHS first notified Brockley of OCR’s investigation in August 2019. In November 2020, OCR imposed a $104,000 civil monetary penalty against Brockley.
However, in January 2021 Brockley requested a hearing before an Administrative Law Judge to challenge the penalty. The judge lowered the penalty amount but still required Brockley to implement new HIPAA training practices, provide copies of the training materials, and proof that the medical records were delivered to the patient.
California Psychiatrist Pays $28,000 Fine
California-based psychiatric provider Jacob & Associates agreed to pay a $28,000 penalty and take corrective actions to settle alleged violations of the HIPAA Privacy Rule.
OCR received a complaint in November 2018 alleging that Jacob had failed to provide medical records to a patient who requested them each year from 2013 to 2018. The patient noted that she had mailed letters to Jacob & Associates on July 1 of each year requesting her medical records but never received a response.
In 2019, Jacob & Associates finally provided her with a copy of her medical records, but only after she traveled to the office and paid a fee for the records. OCR later found that Jacob & Associates had not designated a privacy official, and its policies were non-compliant.
Jacob & Associates did not admit to the violations but agreed to pay HHS $28,000 and implement a corrective action plan.
Beware Marketing Consultants’ HIPAA Advice
Alabama Dentist Disclosed PHI to Third-Party Consultant
Marketing consultants do not typically understand HIPAA law. Too often we’ve heard from providers about incorrect advice they’ve received from consultants. One example landed a dentist in hot water with OCR.
OCR issued a $62,500 penalty to Northcutt Dental-Fairhope, LLC to settle alleged violations of the HIPAA Privacy Rule. In 2017, David Northcutt, owner of Alabama-based Northcutt Dental, intended to run for Alabama state senate. He allegedly gave an excel spreadsheet to his campaign manager containing the names and addresses of 3,657 patients.
The campaign manager allegedly mailed letters to the patients announcing Northcutt’s senate campaign. In 2018, Northcutt then allegedly engaged a third-party marketing company, Solutionreach, to send emails to 5,385 patients for the same announcement.
OCR alleged that Northcutt violated HIPAA by disclosing names and addresses to the marketing company, a third-party entity that was not covered by HIPAA.
Although Northcutt Dental did not admit wrongdoing, they agreed to pay $62,500 to resolve the matter. Northcutt Dental also agreed to a corrective action plan to ensure future HIPAA compliance.
North Carolina Dentist Responded to an Online Review and Pays $50,000 Fine
One of the most common and obvious HIPAA violations is committed by providers trying to manage online reviews. Yesterday OCR announced a $50,000 civil penalty for U. Phillip Igbinadolor, DMD & Associates, P.A. (UPI) after the dental practice exposed a patient’s PHI on a webpage in response to the patient’s negative online review.
The North Carolina dental practice did not respond to OCR’s initial data request or administrative subpoena, and later waived its rights to a hearing by not contesting OCR’s findings in its Notice of Proposed Determination.
The Notice of Proposed Determination stated that the issue stemmed from a 2015 complaint on Google reviews. The patient who complained had used a pseudonym in their review, and visited UPI’s office twice from 2013 to 2014.
In 2015, UPI responded to the negative review on Google. The healthcare provider, UPI, wrote:
“It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved. He last came to my office on March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant. He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience? Only from someone hallucinating. When people want to express their ignorance, you don’t have to do anything, just let them talk. He never came back for his scheduled appointment Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it’s obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [Complainant’s full name]. Get a life.”
After the complainant brought the incident to OCR’s attention in 2015, OCR made numerous requests for information from UPI. UPI failed to respond to OCR’s subpoena for its HIPAA policies and procedures and in June 2021, OCR issued its notice of final determination and imposed a $50,000 penalty and corrective action plan.
OCR addressed the issue of online patient reviews in 2019, see OCR’s settlement with Elite Dental. However, HIPAA violations involving patient reviews have grown significantly since then, fueled in part by marketing advisors and vendors that encourage health care providers to enhance their visibility and reputation by soliciting patient reviews.
HIPAA Still Matters and OCR is Watching
The cost of lax compliance can be steep. Make sure your policies are up-to-date, you understand the right of access rules, your training is recent and you have a current Risk Analysis and security risk assessment. Review, refresh, repeat. Pay attention year round, and ask questions if you need help.