HIPAA Settlements Update March/April 2022
After a few quiet months, the Office of Civil Rights (OCR) under the U.S. Department of Health and Human Services announced four HIPAA enforcement actions on March 28th, 2022. In the past 2 years, we have seen the resolved HIPAA settlements almost exclusively be due to a Right of Access Initiative violation. However, this month we have more of a variation. Two of this month’s settlements do fit the trend as they were reached following a perceived violation of the Right of Access Initiative. Meanwhile, the other two were following an unlawful disclosure of PHI and a potential administrative
All of this serves as a great reminder of the importance of meeting and remaining HIPAA compliant in all your operations - not just Right of Access. Though there was a period of relaxed enforcement due to the COVID-19 pandemic, it is likely that we will see enforcement ramp back up to its usual again soon.
If you have been putting off taking steps toward HIPAA compliance due to the pandemic, or any other reason, now is the time to make it happen. Accountable exists to guide you towards HIPAA compliance in a timely, user-friendly and organized manner. Sign up for a free trial or schedule a call with us today to learn more!
Enough about us, let’s learn more about the 4 HIPAA Settlements that the OCR reached in March 2022.
Dr. Donald Brockley, D.D.M.
A solo dental practitioner in Butler, Pennsylvania, Dr. Donald Brockley, was the first party to reach a settlement with the OCR this month. Dr. Brockley will be required to pay $30,000 and subject to corrective actions and monitoring following the office’s failure to provide a patient with a copy of their own medical record. The HHS issued Dr. Brockley with an NOPD (Notice of Proposed Determination” regarding the issue.
At this point, he responded by requesting a hearing before an Administrative Law Judge. The issue was ultimately resolved in court and Dr. Brockley has agreed to the aforementioned penalties. This settlement goes to show that the HHS and OCR remain committed to the Right of Access Initiative.
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI)
Next, is a settlement with a dental practice that has offices in both Charlotte and Monroe North Carolina, Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A.. This practice, known as UPI, was found to have disclosed PHI on a website when they were responding to a negative review that was left for them. Any use of PHI on social media by a medical practice is strictly against the regulations of HIPAA.
Following this incident, UPI did not respond to the OCR’s data request submittal, did not respond to the request for an administrative subpoena, and did not contest the findings of the OCR’s Notice of Proposed Determination, therefore waiving their rights to a hearing. The incident and their lack of response afterward have led the OCR to issue a $50,000 penalty.
Jacob and Associates
A California-based psychiatric services provider, Jacob and Associates, reached a settlement with the HHS following their failure to provide a patient with access to their information as is required by the Right to Access Initiative. This settlement follows complaints from a patient of the providers who claimed to have submitted requests for their information on July 1st every year between 2013 and 2018 without any request being completed.
This patient was finally provided with a complete copy of the requests in May 2019, almost six years since the first request. However, in order to receive that copy, the individual was required to travel to the practice, fill out the request form in person, and pay a $25 fee for her records. All of this information led to the OCR determining there had been a violation of HIPAA's Right of Access.
In the course of their investigation, the OCR found that Jacob & Associates violated the Right of Access clause by not providing timely access, charging the patient an unreasonable fee that was non-cost based, and not having the appropriate policies and procedures in place to ensure this does not happen.
It was also determined that they did not have a designated HIPAA Privacy Officer nor the proper content in their Notice of Privacy Practices. The OCR has settled a $28,000 fine and corrective action plan with Jacob & Associates.
Northcutt Dental-Fairhope, LLC (Northcutt Dental)
The fourth and final organization that reached a settlement with the OCR was Northcutt Dental-Fairhope, LLC which is a dental practice located in Fairhope, Alabama. It was determined that the practice impermissibly disclosed their patient’s PHI to a campaign manager and marketing company that was hired to help with a state senate election campaign.
This action was a strict violation of the rules and restrictions of PHI handling under HIPAA. Northcutt Dental has agreed to pay $62,500 to settle these violations of the Privacy Rule.
As always, these violations and settlements serve as a great reminder of the importance of HIPAA compliance, and the high cost of noncompliance. It is important to ensure that you are not accidentally violating HIPAA regulations. However, this month we uniquely see that violations of HIPAA that are intentional or incidents where the organization does not respond to any communication from the HHS will result in higher penalties.