At first glance, the Department of Health and Human Services’ Office for Civil Rights HIPAA enforcement for the year 2022 appears to be lax. In 2022, OCR entered into 20 resolution agreements with HIPAA-covered entities, and imposed civil monetary penalties on two more. 22 cases total. 

The breakdown: four HIPAA Privacy Rule impermissible disclosure cases. 17 right-of-access cases (15 settlements, 2 cases in which civil monetary penalties were imposed). One Security Rule violation case. The total amount of settlement and civil monetary penalty money collected: $2,170,140.

Trying to fashion a story or theme around this seemingly random and sleepy enforcement year seems difficult. This HIPAA 2022 review discusses potential reasons for OCR’s apparent shift in focus from security rule violations in data breach cases to right-of-access enforcement. This HIPAA 2022 review also goes over what covered entities and business associates can learn from the individual cases to prevent falling prey to fines in the future.

HIPAA Fines 2022 Review: Stop Making Sense

Attempts at a “Unified Theory of OCR Everything” have been made. One theory holds that a 2021 court case (resolved against OCR) has scared OCR off of enforcing the Security Rule. Since this January 2021 court ruling, OCR has only entered into one Resolution Agreement containing a monetary settlement for a data breach.

In the January 14, 2021 decision striking down a $4.3 million fine imposed on the University of Texas MD Anderson Cancer Center, the U.S. Court of Appeals for the Fifth Circuit did indeed issue a ruling against OCR, finding the rationale for imposing a Security Rule-related fine to be unsound. Since January 14, 2021, OCR has indeed only entered into one data breach settlement, in July of 2022. 

The “the court scared OCR off” theory is only as solid as the evidence to support it, and there is little to no evidence that the court decision has actually influenced OCR’s decision as to which entities to investigate and for what reasons. 

The ruling came from one of 13 federal appeals courts, and is only binding precedent on the states within that court’s jurisdiction (Mississippi, Louisiana, and Texas). The number of covered entities and business associates who have gone so far as to file a federal lawsuit, both before and after MD Anderson, in response to an unfavorable OCR decision, can be counted on two hands. 

While the decision (which essentially held that a CE need only implement a mechanism for encryption; it need not actually do the encrypting, contrary to HHS’ position that entities must actually put measures they have implemented into practice) might have led OCR to enter into fewer data breach/security rule violation settlements – so might any other number of events in 2021 and 2022. 

These include:

  1. A global pandemic
  2. The overruling of Roe vs. Wade
  3. A sudden change in OCR’s leadership (OCR has had two directors in the past year) 
  4. OCR’s issuance of, and allowing time to comply with, of detailed guidance on what constitutes “recognized security practices”

OCR has not shared its enforcement priority reasoning with the public. Instead of guessing why things might have been, it is instructive to look forward – to focus on what OCR has said it will do. 

OCR has indicated that it will continue to clamp down on providers who violate the HIPAA Privacy Rule’s right of access provision. People who want to know if they might get in trouble for a Privacy Rule violation in 2023, need only look at the 4 impermissible disclosure cases and 17 right of access cases OCR settled in 2022, or ended by imposition of a fine.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

HIPAA Fines 2022 Review: Do I Have Your Permission?

The first “impermissible disclosure” case has an almost storylike quality to it. 

In 2017, Dr. David Northcutt, owner and operator of Northcutt Dental, decided to run for state senator for District 32 in Alabama under the Republican Party. On or about July 10, 2017, Dr. Northcutt provided an Excel spreadsheet to his Campaign Manager which contained the names and addresses of 3,657 patients of Northcutt Dental. 

The Campaign Manager mailed letters to these patients to announce Dr. Northcutt’s run for state senate. The letter was on the campaign’s letterhead but addressed the recipient as “Dear Valued Patient.”

On April 30, 2018, Northcutt Dental sent an email communication to its patients regarding Dr. Northcutt’s campaign. The email header showed the email as coming from “Northcutt Dental” and the email message was signed “Sincerely, Northcutt Dental.” Northcutt Dental used a third-party marketing company, Solutionreach, to send the emails. The campaign email was sent to the same patients that received the mailed letter in July 2017 plus an additional 1,727 patients, for a total of 5,385 individual recipients.

Upon investigation, OCR concluded:

  1. Northcutt Dental impermissibly disclosed the name and address of 3,658 individual patients when it shared this information with Dr. Northcutt’s Campaign Manager in 2017. See 45 C.F.R. §164.502(a). 
  2. Northcutt Dental impermissibly disclosed the name and email address of 5,385 individuals in 2018 when it shared this information with its marketing vendor for purposes outside the service arrangement in place. See 45 C.F.R. § 164.502(a).

Lesson: Patients should not be confused with voters.

In the second impermissible disclosure case, Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review.  

OCR imposed a $50,000 civil monetary penalty on the practice, after the office did not contest the findings in OCR’s Notice of Proposed Determination as to the penalty.

The facts of the third impermissible disclosure case stir interest. 

In this case, OCR found that New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”), improperly disposed of protected health information. To settle a potential Privacy Rule violation, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan to resolve this investigation.

The interest: NEDLC is located in Massac