Following a winter of hibernation, the Department of Health and Human Services (HHS) regulators roared to life with the announcement of three settlements and one fine totaling more than $172,000 for violations of HIPAA’s Patient Right of Access and Privacy Rules. Each HIPAA dental fine, as well as the behavioral health fine, were issued for varying degrees of noncompliance.
Monetary Penalties Assessed for Three Dentists, and a Behavioral Health Provider
As the investigatory and enforcement arm of HHS, the Office for Civil Rights (OCR) has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Rules, including the foundational Right of Access provision:
Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record. After being issued a Notice of Proposed Determination, Dr. Donald Brockley, D.D.M, requested a hearing before an Administrative Law Judge.
The litigation was resolved before the court made a determination by a settlement agreement in which Dr. Donald Brockley, D.D.M, agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review.
UPI did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 HIPAA fine.
Northcutt Dental-Fairhope, LLC (Northcutt Dental), a dental practice in Fairhope, Alabama, that impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
Jacob and Associates, a psychiatric medical services provider with two office locations in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.
OCR Director Warns Enforcement Will Continue
In a statement accompanying the announcement, OCR Director Lisa J. Pino underscored the agency’s commitment to enforcing privacy and security standards for patients’ protected health information (PHI).
“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said Pino.
“OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”