OCR Announces 4 Financial Penalties to Resolve HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed.
OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving HIPAA violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients.
“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”
Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access
Dr. Donald Brockley D.D.M, a solo dental practitioner in Butler, PA, was investigated by OCR over a complaint from a patient who had not been provided with a copy of the requested medical records within the time allowed by the HIPAA Privacy Rule. OCR determined that there had been a HIPAA Right of Access violation and provided Dr. Brockley with the opportunity to provide written evidence of any mitigating factors in an August 27, 2019, letter. No response was received.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
OCR then notified Dr. Brockley of its intention to impose a financial penalty of $104,000, and Dr. Brockley requested a hearing with an Administrative Law Judge to contest the financial penalty. On October 8, 2021, the parties filed a joint motion to stay proceedings for 60 days, during which time an agreement was reached with both parties and the case was settled.
Dr. Brockley agreed to pay a $30,000 financial penalty and adopt a corrective action plan which included updating policies and procedures to ensure compliance with the HIPAA Right of Access.
$28,000 Financial Penalty for California Psychiatric Medical Services in HIPAA Right of Access Case
Jacob & Associates, a California provider of psychiatric medical services, was investigated by OCR over a complaint from a patient who claimed that medical records had been requested from Jacob & Associates on July 1, 2018, but had not been provided. The complainant claimed to have sent similar requests every July 1 since 2013 but had never been provided with the requested records.
After submitting the complaint to OCR, the complainant resent their record request was provided with a complete copy of the requested records on May 16, 2019, by electronic mail. However, in order for the patient to be provided with those records, she was required to travel to the practice to complete a record access form in person. She was also charged $25 for the copy of her records, and initially was only provided with an incomplete, single-page copy and had to submit another request to obtain her full records.
OCR determined that Jacob & Associates had violated the HIPAA Right of Access by not providing timely access to the patient’s medical records, had charged the patient an unreasonable non-cost-based fee, and did not have policies and procedures in place concerning the right of patients to access their protected health information.
During the investigation, OCR also determined that Jacob & Associates had not designated a HIPAA Privacy Officer and its notice of privacy practices lacked the required content. The case was settled for $28,000 and Jacob & Associates agreed to a corrective action plan to address all areas of alleged non-compliance.
$50,000 Civil Monetary Penalty Imposed on Dental Practice for Social Media HIPAA Violation
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice with offices in Charlotte and Monroe, NC, was investigated by OCR after a patient submitted a complaint in November 2015 alleging an unauthorized disclosure of his protected health information in response to a negative online review of the practice.
On or around September 28, 2015, the complainant, using a pseudonym to protect his privacy, posted a negative review on UPI’s Google page. UPI responded to the review and claimed the accusations made by the patient were unsubstantiated; however, UPI identified the patient and mentioned the patient’s full name on three occasions in the response, the symptoms the patient was experiencing, and the treatment that was recommended but not provided.
OCR reviewed the complaint and requested documentation from UPI in July 2016 on its policies and procedures covering responses to online reviews and social media, uses and disclosures of PHI, safeguarding PHI, and details of HIPAA training that was provided prior to, and in response to, the incident. UPI confirmed that a response had been posted to the Google page, but only provided OCR with its notice of privacy practices.
In August 2016, OCR informed UPI that the response to the review violated the HIPAA Privacy Rule and was an impermissible disclosure of PHI and told UI to remove its response to the review and implement policies and procedures, if they had not already been implemented, covering online reviews and social media. In 2017, OCR requested a copy of the policies and procedures and again told UPI to remove the response to the review.
Only an acknowledgment of training was provided to OCR, and it did not include any of the training content. The response to the review was not removed. OCR then requested financial statements to be used to determine an appropriate financial penalty, but UPI refused to provide them claiming they were not related to HIPAA. After OCR explained why they were required, UPI responded in September 2017 and refused to provide the records, and included the statement “I will see you in court”.
After receiving and failing to respond to an administrative subpoena requesting the provision of policies and procedures, training, income statements, balance sheets, statements of cash flow, and federal tax returns, and the failure to respond to further communications, OCR obtained the authorization of the Attorney General of the United States and imposed a civil monetary penalty of $50,000 under the penalty tier of wilful neglect with no correction.
Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for Marketing Purposes
Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was investigated by OCR over an impermissible disclosure of PHI. Dr. David Northcutt, the operator and owner of Northcutt Dental, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt engaged a campaign manager and a third-party marketing company to provide assistance with the state senate election campaign. The campaign manager was provided with an Excel spreadsheet that included the names and addresses of 3,657 patients, and letters were sent to those individuals to notify them that Dr. Northcutt was running for state senate. The email addresses of those individuals, along with the email addresses of a further 1,727 patients, were provided to the marketing company Solutionreach to send a campaign email.
OCR determined that the disclosures of PHI to the campaign manager and third-party marketing company were impermissible disclosures of PHI. OCR also determined that Northcutt Dental had not appointed a HIPAA Privacy Officer until November 14, 2017, and policies and procedures related to the HIPAA Privacy and Breach Notification Rules were not implemented until January 1, 2018. The case was settled and Northcutt Dental agreed to a $62,500 penalty and a corrective action plan to address the alleged areas of non-compliance.