The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA fines of 2022 – Two enforcement actions to resolve HIPAA Right of Access violations and two for impermissible PHI disclosures.
No financial penalties were announced by OCR in the first two months of 2022, but the new OCR director, Lisa j. Pino, confirmed this year that OCR was not letting up in its pursuit of financial penalties for non-compliance with the HIPAA Rules and said OCR would be continuing to enforce compliance with the HIPAA Right of Access under the enforcement initiative that was launched in 2019.
The latest two enforcement actions under the HIPAA Right of Access initiative bring the total number of penalties imposed for noncompliance with this important HIPAA right up to 27. The latest two recipients of a financial penalty for HIPAA Right of Access Violations are Dr. Donald Brockley, D.D.M and Jacob and Associates.
Pennsylvania Dental Practitioner to Pay $30,000 HIPAA Right of Access Penalty
Dr. Donald Brockley D.D.M, a solo dental practitioner in Butler, PA, agreed to settle a HIPAA Right of Access case with OCR and pay a financial penalty. OCR received a complaint from a patient who alleged Dr. Brockley had failed to provide a copy of the patient’s requested dental records within the time frame stipulated by the HIPAA Privacy Rule. OCR sent a letter to Dr. Brockley in August 2020 as part of the investigation but did not receive a response. OCR then notified Dr. Brockley that it was imposing a financial penalty of $104,000 for the violation of the HIPAA Right of Access. Dr. Brockley requested a hearing with an Administrative Law judge as he contested the fine.
In October 2021, both parties filed a Joint Motion for Stay of Proceedings for 60 days to provide time to resolve the dispute, and the two parties agreed to a financial penalty of $30,000 and the adoption of a corrective action plan to ensure future compliance with the HIPAA Right of Access.
California Psychiatric Medical Services Provider Fined $28,000 for HIPAA Right of Access Violation
This case dates back to a complaint received by OCR on November 23, 2018. A patient of Jacob & Associates, which provides psychiatric medical care services, claimed to have mailed a letter to Jacob & Associates on July 1, 2018, each year between 2013 and 2018 asking for a copy of her medical records. She claimed not to have ever received a copy of the requested records.
A request was then resubmitted by facsimile, and the requested records were eventually provided by electronic mail on May 16, 2019. However, she was required to travel to the office in person to complete a form, and a non-cost-based fee of $25 was charged for providing those records. Initially, only a partial copy of the records (one page) was provided.
OCR investigated and discovered that in addition to failing to provide timely access to medical records and charging an unreasonable fee for providing a copy of the records, Jacob & Associates was in violation of other provisions of the HIPAA Privacy Rule. The notice of privacy practices was not compliant as it did not include the required content, and the practice had not appointed a HIPAA Privacy Officer.
The case was settled for $28,000 and a corrective action plan has been implemented to address the areas of non-compliance.
Dental Practice Fined for Impermissible Disclosure of PHI When Responding to a Negative Review
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI) in Charlotte and Monroe, NC, has had a $50,000 civil monetary penalty imposed due to an impermissible disclosure of a patient’s protected health information online in response to a negative review.
The patient in question had posted a negative review on UPI’s Google page around September 28, 2015, under a pseudonym so as not to reveal his identity. The review related to two visits to the UPI offices in October 2013 and March 2014. UPI responded to the negative review the same day it was posted and named the patient and provided details of the visits.
The patient submitted a complaint with OCR on November 15, 2016, alleging a HIPAA Privacy Rule violation, and OCR notified UPI that an investigation had been launched into the violation on July 21, 2016. UPI failed to respond to OCR’s data request. OCR followed up with a telephone call and explained that the response to the review violated HIPAA and instructed UPI to remove the response and ensure policies and procedures covering PHI and social media were developed and implemented.
The negative review remained in place, and the requested documentation – Acknowledgement of Training – did not contain any documents about the actual content of the training. OCR had also requested policies and procedures regarding social media, and they were not provided.
UPI also failed to provide the requested financial statements, which OCR needed when determining an appropriate financial penalty, as UPI maintained they were not related to HIPAA. OCR explained why they were needed and UPI refused to provide them, with one response accompanied by the statement, “I will see you in court”. UPI then received an administrative subpoena requesting the provision of all requested documentation. No response was received and the failure to comply with the subpoena, and the alleged HIPAA violations, resulted in a $50,000 financial penalty – the maximum fine for a violation affecting one patient under the willful neglect not corrected penalty tier.
Alabama Dental Practice Fined for Impermissible Disclosure of PHI for Marketing Purposes
The Fairhope, AL-based dental practice, Northcutt Dental-Fairhope, LLC (Northcutt Dental), has settled its HIPAA case with OCR and agreed to pay a $62,500 settlement to resolve alleged HIPAA violations related to an impermissible disclosure of the PHI of patients to a campaign manager and third-party marketing company.
The operator and owner of Northcutt Dental, Dr. David Northcutt, decided to run for state senator for Alabama District 32 in 2017. A campaign manager was engaged to assist and the owner provided the campaign manager with an excel spreadsheet that contained the names and addresses of 3,657 patients to be used for marketing purposes to explain that he was running for state senator. Emails were also sent to patients by a third-party marketing company, Solutionreach, for the same purpose, They were provided with the email addresses of the same group of patients and the email addresses of a further 1,727 patients. These were impermissible disclosures under the HIPAA Privacy Rule.
OCR investigated and also determined that Northcutt Dental had not implemented policies and procedures to comply with the HIPAA Privacy and Breach Notification Rules until January 1, 2018, and had not appointed a HIPAA Privacy Officer until November 14, 2017.
“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”