With the end of the year drawing near, as we prepare to usher in 2025,…
Four OCR Enforcement Actions for HIPAA Violations
On March 28, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced four new enforcement actions against healthcare providers for violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Three of the actions were against dental practices, and one was against a psychiatric medical service provider. Two of these cases are part of OCR’s HIPAA Right of Access Initiative, which began in 2019. OCR announced this initiative in early 2019 promising to enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. The other enforcement actions resulted from healthcare providers impermissibly disclosing their patients’ protected health information (PHI).
- Donald Brockley, D.D.M., a solo dental practitioner in Pennsylvania, failed to provide a patient with a copy of their medical record. Under a settlement agreement, Dr. Donald Brockley agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
- U. Phillip Igbinadolor, D.M.D. & Associates, in North Carolina, impermissibly disclosed a patient’s protected health information (PHI) on a webpage in response to a negative online review. OCR imposed a $50,000 civil money penalty.
- Jacob and Associates, a psychiatric medical services provider in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.
- Northcutt Dental-Fairhope, in Fairhope, Alabama, impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign. The dental practice agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
Conduct a Security Risk Analysis
Under the HIPAA Privacy Rule, HIPAA-covered entities must ensure that they do not disclose an individual’s PHI unlawfully and that they follow the right of access requirements. To this end, OCR requires all covered entities, including dental offices, to perform a security risk analysis to assess vulnerabilities and the mechanisms currently in place to mitigate them. Additional controls should be implemented as needed for compliance. OCR does not specify how frequently to perform a security risk analysis. The frequency of performance will vary among covered entities. Covered entities may perform the analysis annually or as needed (i.e. every two or three years) depending on circumstances of their business.
For our subscribers of OSHA Review… for more information on HIPAA Compliance, including patient right of access requirements, please refer to the November/December 2018 Training Document in Section X of your OSHA Review binder. A sample Notice of Privacy Policy, a HIPAA plan template form, sample business associate contract, breach documentation, and a HIPAA security risk analysis checklist are available from OSHA Review’s website.
Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.