Recent HHS-OCR Settlement Actions with Healthcare Entities

Recently, the US Department of Health and Human Service (HHS) Office for Civil Rights (OCR)announced three separate Resolution Agreements for potential violations by healthcare providers. The first incident involved a potential violation of federal civil rights laws, while the second and third settlements consisted of HIPAA violations. The settlements are detailed below.

1. May 10, 2023: The HHS-OCR announced it had entered into a Voluntary Resolution Agreement with MCR Health, Inc. to resolve a disability discrimination complaint. Allegedly, MCR Health, Inc., a Florida health center, failed to provide effective communication for a patient’s caregiver. The individual, who is deaf and hard of hearing, filed a complaint with HHS-OCR stating that MCR Health, Inc. failed to provide her with auxiliary aids and services when she requested an interpreter be present for her while she attended her husband’s post-surgical medical appointment.

For more information on managing patients or patient representatives who are hard of hearing, please refer to OSHA Review’s blog from November 14, 2022.

2. May 16, 2023: The HHS-OCR announced a Resolution Agreement of potential violations of the HIPAA Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered healthcare entities. The settlement concludes HHS-OCR’s investigation of a data breach, where a server containing the PHI of 230,572 individuals was left unsecure and accessible on the internet.
3. June 5, 2023: The HHS-OCR announced a Resolution Agreement with Manasa Health Center, LLC, a healthcare provider in New Jersey that provides adult and child psychiatric services. The settlement resolves a complaint alleging that Manasa Health Center impermissibly disclosed a patient’s PHI when the entity posted a response to the patient’s negative online review.

Dental offices, and their business associates, must comply with the HIPAA Security Rule, which requires covered entities to adopt adequate means for safeguarding the confidentiality, integrity, and availability of patients’ PHI. Examples of security measures in a dental office include: restricting access to computer workstations, prohibiting impermissible PHI disclosures, controlling facility access, locking up patient records, installing firewalls, passwords, data encryption, data back-up plans, security risk analysis, and training.

For our OSHA Review subscribers… a HIPAA checklist to help dentists conduct a security risk assessment can be downloaded from OSHA Review’s website. For more information about HIPAA requirements, please refer to the July/August 2022 Training Document in Section X of your OSHA Review binder.

Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.