Financial Penalties Imposed for HIPAA Right of Access Violations and Impermissible PHI Disclosures

The U.S. Department of Health and Human Services’ Office for Civil Rights recently announced that four investigations into potential HIPAA violations have been resolved and financial penalties have been imposed. Three of the HIPAA cases were settled, and one resulted in a civil monetary penalty.

All four actions were against small healthcare providers: two dental practices, a solo dentist, and a psychiatric services provider. Two of the cases stem from complaints from patients who failed to be provided with their medical/dental records in a reasonable time for a reasonable cost-based fee. The other two cases involved impermissible disclosures of patients’ protected health information, one of which was on an online review platform, and the other involved a mailshot and mailing about a matter unrelated to patients’ healthcare. The cases demonstrate that healthcare organizations of all sizes are required to comply with the HIPAA Rules, from individual healthcare professionals to large healthcare systems, and OCR will impose financial penalties if the HIPAA Rules are violated.

Two More Penalties Imposed for HIPAA Right of Access Violations

Earlier this year, the new OCR director, Lisa J. Pino, said the Office for Civil Rights would be continuing with its HIPAA Right of Access enforcement initiative that was launched in 2019. Including these two cases, 27 financial penalties have now been imposed to resolve HIPAA Right of Access violations under this enforcement initiative. The latest two penalties were imposed on Dr. Donald Brockley, D.D.M, a solo dentist in Butler, PA, and the California mental health services provider, Jacob & Associates.

OCR received a complaint from a patient of Dr. Brockley who alleged a request had been sent to Dr. Brockley for a copy of the patient’s medical records, but they were not provided within the allowable 30 days. After Dr. Brockley failed to respond to a request from OCR for documentation on any mitigating factors, OCR announced its intention to impose a financial penalty of $104,000 for the HIPAA Right of Access violation. Dr. Brockley requested the case go before an Administrative Law Judge, but the case was settled out of court and Dr. Brockley agreed to pay a $30,000 penalty.

The Jacob & Associates case resulted from a complaint from a patient who alleged she had requested a copy of her records every July 1 from 2013 to 2018, but the records were not provided and had still not been received by November 23, 2018. After the complaint was submitted to OCR and another request was sent, Jacob & Associates provided an incomplete set of records and then later provided all records as requested. However, the patient was required to travel to the office to fill out the required form and she was charged $25 for the records. OCR determined the fee was unreasonable and was not cost-based, and the delay in providing the records violated the HIPAA Right of Access. The case was settled and a financial penalty of $28,000 was paid.

Impermissible Disclosures of PHI Attract Financial Penalties

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a dental practice in Fairhope, AL, that is owned by Dr. David Northcott, was investigated over an impermissible disclosure of patients’ PHI. Dr. Northcott decided to run for state senator and provided a list of 3,657 patient names and addresses to his campaign manager. Letters announcing Dr. Northcott’s decision to run for state senator were sent, and the same individuals’ email addresses were provided to a third-party marketing company to send campaign emails, which were also sent to a further 1,727 patients. Those disclosures violated the HIPAA Privacy Rule, and OCR also determined that Northcutt Dental had failed to designate a privacy officer until November 2017 and had not implemented policies and procedures to comply with the requirements of the Privacy and Breach Notification Rules until January 1, 2018. The case was settled and a financial penalty of $62,500 was imposed.

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice in North Carolina, was investigated over the impermissible disclosure of a patients’ PHI in a Google review. A patient of UPI had submitted a negative review on UPI’s Google page anonymously. UPI responded to the review and disclosed the patient’s identity and details of the patient’s visits. UPI did not respond to OCR’s requests for data, did not respond or object to an administrative subpoena, waived the rights to a hearing, and did not remove the response to the negative review. The case went before an Administrative Law Judge and a civil monetary penalty of $50,000 was imposed.

These four HIPAA violation penalties are the first to be announced so far in 2022. “Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” OCR Director Lisa J. Pino said in a statement.