HHS OCR announced its first enforcement actions of 2022 with four providers over HIPAA Privacy Rule violations, including two right of access failures. (Sarah Stierch/CC BY 4.0).

The Department of Health and Human Services Office for Civil Rights announced its first enforcement actions of 2022 with four separate provider officers over potential violations of The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, including right of access.

The settlements were reached with Pennsylvania-based Dr. Donald Brockley, a dental practitioner; North Carolina-based Dr. U. Phillip Igbinadolor, D.M.D. (UPI); California-based Jacob and Associates, a psychiatric medical services provider; and Alabama-based Northcutt Dental-Fairhope.

OCR Director Lisa Pino stressed that these enforcement actions are designed to hold healthcare providers accountable with HIPAA compliance.

“Between the rising pace of breaches of unsecured protected health information and continued cybersecurity threats impacting the healthcare industry, it’s critical that covered entities take their HIPAA compliance responsibilities seriously,” Pino said in a statement. 

OCR is committed to protecting health information through its enforcement of privacy and security noncompliance, including the pursuit of civil money penalties for unaddressed violations, she added.

Two of the settlements stem from potential violations of the HIPAA right of access standard. Under the OCR initiative, which aims to ensure patients are provided with timely access to their medical records, 27 providers have settled with OCR over potential right of access failures since its launch in 2018.

OCR settles with dental provider incensed by negative review

OCR imposed a $50,000 civil monetary penalty against UPI, after failing to respond to OCR’s data request and an administrative subpoena. UPI also failed to contest OCR’s findings. The settlement and findings stem from a unique 2015 incident.

A patient visited UPI in both 2013 and 2014 for dental treatment. In 2015, the patient posted a negative review of UPI on Google using a pseudonym. Several weeks later, UPI responded to the negative review, impermissibly disclosing the patient’s name and protected health information in the process.

The UPI post named the patient, accusing them of making “unsubstantiated accusations when he only came to the practice on two occasions since October 2013.” UPI went on to detail each visit and specifics into those treatments, allegedly deriding the patient and his intelligence for the review.

The post prompted a patient complaint filed with OCR, alleging UPI violated his rights under the HIPAA Privacy Rule. OCR launched its investigation the following year, notifying UPI of the audit and asking for the provider’s policies and procedures for responding to patient reviews online, PHI use and disclosures, PHI safeguards, and documentation of HIPAA training.

UPI acknowledged that it responded to the patient’s negative review and sent its Notice of Privacy Practices to OCR, but failed to provide OCR with its training documentation, policies or procedures.

OCR informed UPI its online response to the review “constituted an impermissible disclosure of PHI, and UPI should promptly remove its response.” UPI was also notified that “it should, if it did not currently have such, develop policies and procedures related to the disclosures of PHI and more specifically with regard to disclosures of PHI on social media.”

What followed was a yearlong struggle between UPI and the regulator, including OCR requests for copies of policies and procedures for social media use around disclosures of PHI and whether UPI removed the response to the negative review.

UPI did send acknowledgement of training, but it didn’t contain any documents about the contents of the training. The dentist also didn’t remove the PHI from the Google page: “the response remains public as of the date of this notice.” The provider still hasn’t sent its social media policies and procedures to OCR.

OCR stressed that the response to the patient’s negative review violated the HIPAA Privacy Rule and attempted to obtain financial documents from UPI to adequately determine the amount for the civil monetary penalty, a consideration for these rulings.

But the provider refused to cooperate noting “it will not provide the requested documents because they ‘do not relate to HIPAA.’” OCR repeatedly explained the purpose of the requests, prompting further refusals to cooperated and the statement: “I will see you in court.”

OCR subpoenaed UPI in November 2017, requesting the necessary documents. But UPI has still not responded to or objected to the subpoena.

HIPAA requires “a covered entity must cooperate with OCR, if OCR undertakes an investigation or compliance review of the policies, procedures, or practices of the covered entity to determine whether it is complying with the applicable HIPAA provisions.”

“UPI failed to cooperate with OCR’s investigation to determine whether UPI is complying with the applicable HIPAA provisions, specifically with regard to its HIPAA policies, procedures, and practices,” according to the enforcement action.

OCR obtained the authorization of the Attorney General prior to issuing the enforcement, based on “findings of fact” that UPI is liable for violating HIPAA. Despite its assertions, UPI did not contest the findings within the 90 day grace period, finalizing the OCR enforcement.

Thus, UPI has no right to an appeal. If OCR doesn’t receive payment from UPI, “the amount of the penalty may be deducted from any sum then or later owing by the United States or by a state agency, and a civil action may be brought in the U.S. District Court to recover the amount of the penalty.”

Right of Access violations

Brockley settled with OCR for $30,000 and an agreement to enter into a corrective action plan, after an audit into a patient complaint of noncompliance with the HIPAA right of access rule in 2019 revealed that the dental provider failed to provide a patient with a copy of their medical record. 

In 2020, HHS informed Brockley that it would impose a civil money penalty of $104,000 over the access failure. In response, the dentist requested a hearing before an administrative law judge to contest the penalty in January 2020. More than a year later, a joint motion stay of proceedings halted pending deadlines and allowed HHS and Brockley to “resolve their dispute.”

The agreed upon resolution reduced the monetary penalty by $70,000 and resulted in a detailed corrective action plan.

Under the agreement, Brockley must implement and distribute HIPAA policies and procedures detailing right of access requirements and train all relevant workforce members on the rules. HHS must be provided with copies of all training materials. The patient behind the initial audit must also be given her entire designated record set. 

The second right of access settlement is with Jacob and Associates, which will pay OCR $28,000 to settle potential violations of the HIPAA standard.

The settlement stems from a November 2018 patient complaint that claimed over the course of five years, she “mailed letters in a stamped envelope addressed to Jacob & Associates requesting access to a copy of her medical records and, by the date of her complaint, had not received any response or records as requested.”

The most recent request was submitted on July 1, 2018, and the patient did not receive a response, prompting an HHS investigation. The patient resubmitted her request via fax and received a complete copy of her medical records on May 16, 2019, “by electronic mail, as requested.”

However, the investigation showed the records were only sent “after requiring her to travel to its office to complete its form to exercise her right to access, imposing a flat fee that was not cost-based ($25 per medical records request), and initially providing an incomplete (one page) paper copy of the records.”

The investigation also revealed the provider did not have a designated privacy official in place, as required by HIPAA. HHS also discovered the dental provider’s notice of privacy practices lacked content required by the privacy regulation.

In short, HHS found the provider failed to provide timely access in the manner and requested format, imposed an unreasonable fee, and failed to implement right of access policies and procedures.

The settlement should serve as a reminder that when OCR launches an audit after a patient complaint a provider may be found liable of other HIPAA issues, even if the violation is not tied to the initial complaint, as it all falls under compliance with the HIPAA Privacy and Security rules.

Final settlement stems from impermissible disclosure

Northcutt Dental-Fairhope has agreed to pay OCR $62,500 and to take corrective action to settle possible violations of the HIPAA Privacy Rule.

The settlement stems from a 2017 incident that occurred when the owner of the practice, Dr. David Northcutt, launched a state senator campaign in Alabama. Partnering with a campaign manager, Northcutt provided them with an Excel spreadsheet that contained the names and addresses of 3,657 of his patients.

The campaign manager took the information and mailed the patients letters about the dentist’s state senate run. The OCR resolution agreement noted that “the letter was on the campaign’s letterhead, but addressed the recipient as ‘Dear Valued Patient.’”

A follow-up email was sent to the same patients by the campaign manager. Northcutt used a third-party marketing company to send the emails to the previous group of patients, as well as an additional 1,727 patients, for a total of 5,385 individuals. 

OCR’s investigation into the incident concluded that Northcutt Dental impermissibly disclosed the contact information of 3,658 patients, by sharing their data with the campaign manager, and again impermissibly disclosed the information of 5,385 individuals, by sharing it with the “marketing vendor for purposes outside the service arrangement in place.”

The investigation also revealed that Northcutt Dental did not designate an official privacy official until November 2017, nor did it implement policies and procedures to comply the requirements of the HIPAA Privacy and Breach Notification Rules until January 2018.

Along with the penalty, Northcutt Dental is required to adhere to the requirements outlined by OCR in its corrective action plan. The provider must revise its written HIPAA policies and procedures to ensure compliance and provide them to HHS. The provisions must detail PHI uses and disclosures, training measures, and administrative safeguards, among other items.