Download Client Alert: Latest HIPAA Enforcement Actions
The Office of Civil Rights (OCR) has released information on its latest Health Insurance Portability and Accountability Act (HIPAA) enforcement actions. The government continues to pursue investigations and administrative actions against Covered Entities that do not timely or appropriately respond to patients’ requests for records. According to the OCR, under its HIPAA Right of Access Initiative, there have been 27 enforcement actions relating to a patient’s right of access. Two of the following cases were part of the Initiative.
The following is a summary of the issues in each action pursuant to the OCRs’ press release:
Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record. After being issued a Notice of Proposed Determination, Dr. Brockley requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which Dr. Brockley agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule's right of access standard.
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s protected health information (PHI) on a webpage in response to a negative online review. UPI did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.
Jacob and Associates, a psychiatric medical services provider with two office locations in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard. Northcutt Dental-Fairhope, LLC (Northcutt Dental), a dental practice in Fairhope, Alabama that impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
The government will continue to investigate complaints by patients regarding HIPAA. Covered Entities and Business Associates need to review their HIPAA policies and practices. Additionally, the following actions are recommended: (a) appoint a Privacy Officer in writing; (b) review your HIPPA policies at least every two years; (c) review HIPAA staff education and compliance with education requirements; (d) assess the level of compliance with HIPAA policies; (e) ensure that you have business associate agreements where required; and (f) conduct a HIPAA risk assessment. These are the minimum items that may be reviewed during any investigation by the OCR. OCR has conducted a number of reviews and is aware that many entities are not fully meeting these standards. You do not want to be the entity that is an easy target. Finally, ensure that the above items are documented and easily accessible if you are investigated.