The Department of Health and Human Services’ Office for Civil Rights has imposed four financial penalties on healthcare providers to resolve violations of the Health Insurance Portability and Accountability Act (HIPAA).
Three dental practices were hit with sizable fines, one for a violation of the HIPAA Right of Access and two for impermissible disclosures of patients’ protected health information (PHI).
The HIPAA Right of Access is a requirement of the HIPAA Privacy Rule and permits individuals to obtain a copy of their medical or dental records from their healthcare providers. After receiving such a request, the records must be provided within 30 days. In limited circumstances, a 30-day extension is permitted.
Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler, Pennsylvania, received a request from a patient for a copy of their medical records and failed to respond in the permitted time. The patient submitted a complaint with OCR, which investigated the potential violation. Dr. Donald Brockley failed to respond to OCR’s request for information, and litigation was initiated to recover a proposed $104,000 fine. The case went before an Administrative Law Judge and was settled out of court for $30,000.
Northcutt Dental-Fairhope, LLC (Northcutt Dental), a dental practice in Fairhope, Alabama, settled its case with OCR and paid a $62,500 penalty. The owner of Northcutt Dental, Dr. David Northcutt, decided to run for state senate. He provided the names and addresses of 3,657 patients to his campaign manager to contact the patients and tell them he was running for state senate. The email addresses of the patients, along with the email addresses of a further 1,727 patients, were provided to a third-party marketing firm to send emails about the campaign. Those disclosures were not permitted under the HIPAA Privacy Rule. OCR also found irregularities with the practice’s notice of privacy practices and the practice had failed to appoint a privacy official.
Dr. U. Phillip Igbinadolor, DMD. & Associates, PA, (UPI), which operates dental clinics in Charlotte and Monroe in North Carolina, was the recipient of a negative review from a patient on the company’s Google page. The review had been added anonymously, but in the response to the “unsubstantiated accusations,” UPI named the patient.
The disclosure of the patient’s name and information about his visits violated the patient’s privacy and was an impermissible disclosure of the patient’s PHI. UPI was ordered to remove the response but failed to do so, and UPI failed to respond to an administrative subpoena requesting documentation. A civil monetary penalty of $50,000 was imposed.
Another healthcare provider also received a financial penalty for a HIPAA Right of Access violation. Jacob and Associates, a psychiatric medical services provider in California, failed to respond to a request from a patient for a copy of her medical records. The patient alleged that at the time of the complaint, a request for the records had been submitted once a year for the previous 6 years. After filing a complaint with OCR, the records were eventually provided; however, the patient was charged an excessive fee for providing the records. Under HIPAA, only a cost-based fee is permitted. Jacob and Associates settled the case and paid a $28,000 penalty.
“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”