On March 28, 2022, the United States Department of Health and Human Services Office of Civil Rights (HHS OCR) announced four new enforcement actions against healthcare providers for violations of the HIPAA. Two of the four enforcement actions were part of OCR’s HIPAA Right of Access Initiative.
Interestingly, three of the four enforcement actions were filed against dental practices. In one of the three, a dental practitioner in Butler, Pennsylvania failed to provide medical records as requested by a patient. After receiving a Notice of Proposed Determination, the dentist involved requested a hearing before an Administrative Law Judge. The case was resolved via a settlement agreement in which the dentist agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
In a second agreement reached with a different dental practice, the owner of a dental practice in Alabama provided an Excel spreadsheet with the names and addresses of more than 3,600 patients to his campaign manager for his state senate bid. The campaign manager then turned around and mailed letters to the patients, announcing the dentist’s run for political office. The following year, the same dentist hired a third-party marketing company to send emails to more than 5,300 patients for the same reason. That dentist agreed to a $62,500 penalty for violating the HIPAA Privacy Rule.
The third dental practice received a $50,000 civil penalty for responding to a patient’s negative Google review by using the patient’s full name and providing specific details about his treatment, closing the response with a suggestion to “get a life.” The patient made a complaint to OCR, and while OCR was investigating, the agency asked the practice several times for information on the incident, to no response. Therefore, since the practice did not respond to any of the data requests, did not respond or object to an administrative subpoena, and did not contest the findings in OCR’s Notice of Proposed Determination, OCR imposed the $50,000 civil monetary penalty.
The final enforcement action stemmed from a Right of Access complaint filed against a California psychiatrist. In this instance, a patient mailed several letters to the practice on July 1 of each year, starting in 2013 and ending in 2018, requesting a copy of their medical records. The patient did not receive a response until 2019 when she traveled to the office in person and paid a fee for the records.