The Office for Civil Rights of the Department of Health and Human Services announced its first enforcement actions of 2022 against four separate provider officers for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, including the right of access to protected health information.In addition to Dr. Donald Brockley, a dental practitioner in Pennsylvania, settlements were reached with North Carolina-based Dr. U Phillip Igbinadolor, D.M,D, (UPI); California-based Jacob and Associates, a provider of mental health services; and Alabama-based Northcutt Dental-Fairhope, a dental practice in Fairhope and the surrounding area.In a statement, OCR Director Lisa Pino stated that the purpose of these enforcement proceedings is to hold healthcare providers accountable for their HIPAA compliance.According to Pino, "Given the increasing frequency of breaches of unprotected protected health information and the ongoing cybersecurity dangers affecting the healthcare industry, it is imperative that covered institutions take their HIPAA compliance responsibilities seriously."she added. The Office of Civil Rights is dedicated to preserving health information through its enforcement of privacy and security infractions, which includes the prosecution of civil money penalties for violations that go undetected.Two of the settlements are related to alleged violations of the HIPAA right of access standard, according to the agreements. Since the introduction of the OCR program in 2018, which aims to guarantee that patients have timely access to their medical information, 27 providers have reached a settlement with the agency over potential right of access failures, according to the organization.
The Office of Consumer Rights has reached a settlement with a dental professional who was enraged by a poor review.
The Office of Civil Rights (OCR) fined UPI $50,000 in civil monetary penalties after the company failed to respond to an OCR data request and an administrative subpoena. UPI likewise neglected to raise any objections to OCR's conclusions. The settlement and findings are the result of an unusual incident that occurred in 2015.During the years 2013 and 2014, a patient came to UPI for dental treatment. In 2015, the patient used a pseudonym to publish a bad review of UPI on Google, which was later removed. UPI responded to the unfavorable review many weeks later, in the process releasing the patient's name and protected health information, which was against the law at the time.The patient was identified in the UPI post, who accused them of making "unsubstantiated claims" against him because he had only visited the practice on two occasions since October 2013. UPI went on to describe each appointment as well as the nature of those treatments, allegedly disparaging the patient and his IQ in preparation for the investigation.A patient complaint was filed with the Office of Civil Rights, stating that UPI had violated his rights under the HIPAA Privacy Rule. UPI was notified by OCR of the audit, and the agency requested information about the provider's policies and processes for responding to patient reviews online, PHI use and disclosures, PHI safeguards, and proof of HIPAA training. The inquiry was begun the next year.However, while UPI admitted that it replied to the patient's negative review and provided its Notice of Privacy Practices to the Office of Civil Rights (OCR), it failed to furnish the agency with any training documents, rules, or procedures.After reviewing UPI's online response to the review, OCR determined that it "constituted an unlawful disclosure of PHI," and that UPI should "immediately remove" its response. UPI was also advised that "it should, if it did not already have such rules and procedures, adopt policies and procedures connected to the disclosure of protected health information, and more specifically with regard to the sharing of protected health information on social media."What followed was a year-long battle between UPI and the regulator, which included OCR requests for copies of UPI's policies and procedures for social media use in connection with the disclosure of protected health information (PHI) and whether UPI had removed its response to the negative review from its website.Despite the fact that UPI sent an acknowledgement of training, it did not include any materials describing the substance of the training session. "The response remains public as of the date of this warning," the dentist said of his failure to remove the PHI from his Google profile page. The provider has not yet submitted its social media rules and procedures to the Office of Consumer Rights.The Office of Civil Rights (OCR) stated that the reaction to the patient's negative review was in violation of the HIPAA Privacy Rule and attempted to get financial data from UPI in order to adequately establish the amount of the civil monetary penalty, which was a factor in these decisions.However, the provider declined to participate, stating that "the requested records will not be provided since they 'do not relate to HIPAA.'" The Office of Civil Rights (OCR) again clarified the objective of the requests, causing additional refusals to participate and the statement: "I will see you in court."UPI was served with a subpoena by the Office of Civil Rights in November 2017, asking the relevant records. UPI, on the other hand, has not yet reacted to or opposed to the subpoena."A covered entity must cooperate with OCR if OCR conducts an investigation or compliance assessment of the covered entity's policies, procedures, or practices to determine whether the covered entity is in compliance with the applicable HIPAA provisions," according to HIPAA.According to the enforcement action, "UPI failed to cooperate with OCR's investigation to determine whether UPI is complying with the applicable HIPAA provisions, specifically with regard to its HIPAA policies, procedures, and practices," which was launched to determine whether the company was in compliance with the law.
After an audit into a patient complaint of noncompliance with the HIPAA right of access rule in 2019 revealed that Brockley Dental did not provide a patient with a copy of their medical record, the dental provider reached a settlement with the Office of Civil Rights for $30,000 and an agreement to enter into a corrective action plan with the agency.In 2020, the Department of Health and Human Services (HHS) notified Brockley that it will issue a civil money penalty of $104,000 as a result of the access failure. A hearing before an administrative law judge to contest the penalty was requested by the dentist, and a hearing was scheduled for January 2020. Over a year later, a joint motion stay of proceedings was granted, preventing pending deadlines from being met and allowing HHS and Brockley to "resolve their disagreement."The agreed-upon resolution resulted in a $70,000 reduction in the monetary penalty and the development of a detailed corrective action plan.Brockley is required to establish and distribute HIPAA policies and procedures that detail right of access requirements, as well as train all relevant employees on the laws, as part of the settlement agreement. All training materials must be supplied to the Department of Health and Human Services (HHS). The patient who was the subject of the original audit must also be provided with access to her entire designated data set.The second right of access settlement involves Jacob and Associates, which will pay the Office of Civil Rights $28,000 in order to resolve suspected violations of the HIPAA privacy and security standard.[/fusion_text][fusion_text rule_style="default" hide_on_mobile="small-visibility,medium-visibility,large-visibility" sticky_display="normal,sticky" animation_direction="left" animation_speed="0.3"]According to a November 2018 patient complaint, over the course of five years, she "mailed letters in a stamped envelope addressed to Jacob and Associates requesting access to a copy of her medical records but had not received any response or records as requested and had not received any response or records as requested by the date of her complaint."The most recent request was made on July 1, 2018, and the patient did not receive a response, sparking an investigation by the Department of Health and Human Services. In response, the patient resubmitted her request through fax, and on May 16, 2019, she received a complete copy of her medical data "via electronic mail, in accordance with her request."After requiring her to travel to its office to complete its form in order to exercise her right of access, charging a flat fee that was not cost-based ($25 per medical records request), and initially providing an incomplete (one page) paper copy of the records, according to the investigation, the records were only sent after the investigation.A second finding of the study was that the provider did not have a designated privacy officer in place, which is required by HIPAA. The Department of Health and Human Services discovered that the dental provider's notice of privacy practices lacked the content necessary by the federal privacy regulation.In summary, the Department of Health and Human Services determined that the provider failed to provide timely access in the manner and format requested, charged an exorbitant amount, and failed to execute right of access policy and procedures.In light of the settlement, it is important to remember that when the Office for Civil Rights (OCR) conducts an audit following a patient complaint, a provider may be found liable for other HIPAA violations, even if the violation is not related to the initial complaint, because it all falls under the HIPAA Privacy and Security rules.
The final settlement resulted from the disclosure of information that was not permitted.
For suspected violations of the HIPAA Privacy Rule, Northcutt Dental-Fairhope has agreed to pay the Office of Civil Rights $62,500 and to take corrective action, according to the OCR.When the practice's owner, Dr. David Northcutt, decided to run for state senator in Alabama in 2017, an event occurred that resulted in the settlement agreement being reached. When Northcutt teamed up with a campaign manager, he handed over an Excel document with the names and addresses of 3,657 of his patients to them.The campaign manager used the information to send letters to the dentist's patients informing them about his state senate race. As highlighted in the OCR resolution agreement, "the letter was written on the campaign's letterhead, but addressed the addressee as 'Dear Valued Patient.'"[/fusion_text][fusion_text rule_style="default" hide_on_mobile="small-visibility,medium-visibility,large-visibility" sticky_display="normal,sticky" animation_direction="left" animation_speed="0.3"]The campaign manager sent a follow-up email to the same patients who had responded to the first one. A third-party marketing organization was hired by Northcutt to send the emails to the previous group of patients, in addition to an additional 1,727 patients, for a total of 5,385 individuals.Northcutt Dental, according to the findings of the OCR's investigation into the incident, impermissibly disclosed the contact information of 3,658 patients by sharing their data with the campaign manager, and then impermissibly disclosed the contact information of 5,385 individuals by sharing their data with the "marketing vendor for purposes outside the service arrangement in place."The investigation also discovered that Northcutt Dental did not appoint an official privacy official until November 2017, and that it did not put in place policies and procedures to comply with the HIPAA Privacy and Breach Notification Rules until January of the following year.In addition to paying the fine, Northcutt Dental is expected to follow the procedures prescribed by the Office of Civil Rights in its corrective action plan. The provider must amend its written HIPAA policies and procedures in order to assure compliance and submit them to the Department of Health and Human Services. The provisions must outline, among other things, the uses and disclosures of protected health information (PHI), as well as training procedures and administrative protections.