HIPAA enforcement is not letting up in 2022. Today the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the settlement of investigations into potential violations of the HIPAA right of access rules at three dental practices. These three bring the total number of right of access settlements to 41 since OCR’s Right of Access Initiative began in 2019. OCR seems to be signaling that HIPAA enforcement continues to be a top priority and there may be more to come.
HIPAA is not only about privacy. It also protects patients’ broader rights related to their own protected health information (PHI) – for example, only the patient can decide who may see their PHI but HIPAA also requires that patients receive timely access to their own medical records at a reasonable cost. The process should be easy and prompt.
OCR Director Melanie Fontes Rainer commented on the settlements:
“These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law. Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”
In the OCR press release, the agency says that the three enforcement actions “underscore the importance and necessity of compliance with the HIPAA Rules, including the foundational right of access provision.” (italics added for emphasis).
The investigations illustrate that the dental practices either didn’t know about the right of access rule, or if they knew, compliance was not a priority. Each case is slightly different but together they show how delay or overcharging could lead to an investigation and settlement payment.
The three settlements are:
$30,000 – Family Dental Care, P.C., (FDC) Chicago, IL
A patient requested her entire medical records in May, 2020, but received only portions. She filed a complaint with OCR in August, 2020, and during OCR’s investigation, FDC provided her with the remainder of her records in October, 2020, more than five months after the request was made. OCR determined that FDC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.
$80,000 – Great Expressions Dental Center of Georgia, P.C., (GEDC) Georgia
In November 2020, OCR received a complaint alleging that GEDC would not provide an individual with copies of her medical records because she would not pay GEDC’s $170 copying fee. The individual first requested her records in November 2019, but did not receive them until February 2021, fifteen months later. OCR’s investigation determined that GEDC-GA’s failure to provide timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision.
$25,000 – B. Steven L. Hardy, D.D.S. LTD, dba Paradise Family Dental (Paradise), Las Vegas NV
On October 26, 2020, OCR received a complaint alleging that Paradise had failed to provide a mother with copies of her and her minor child’s PHI. The mother submitted multiple record requests between April 11, 2020, and December 4, 2020, but Paradise did not send the records until December 31, 2020, more than eight months after her initial request. OCR’s investigation determined that Paradise’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.
All three dental practices are also entering Corrective Action Plans for continued monitoring by OCR.
In The HIPAA E-Tool® you can read A Current Simple Guide to Right of Access. Or, see OCR’s guidance on the right of access.
Learn the Right of Access Rule and Protect Your Practice
Practical answers and step-by-step guidance is at your fingertips in The HIPAA E-Tool®. Whether you need basic policies, want to know more about Risk Analysis and Risk Management, or want up-to-date consent forms, all you need is here.
Don’t wait for a patient complaint or a data breach, both of which could trigger an investigation and expensive payments. Help is available today.