OCR Settles Three HIPAA Right of Access Cases With Dental Practices

September 21, 2022 - The HHS Office for Civil Rights (OCR) resolved three HIPAA right of access cases with three dental practices. The resolutions bring OCR’s total number of cases to 41 since it launched the HIPAA Right of Access Initiative in 2019.

All three cases “underscore the importance and necessity of compliance with the HIPAA Rules,” OCR stated in its announcement. In July, OCR announced that it had resolved 11 right of access cases, demonstrating its commitment to making sure that patients have access to their medical records.

“These right of access three actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” OCR Director Melanie Fontes Rainer stated.

“Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

In addition to providing details about each resolution, OCR directed HIPAA-covered entities to its guidance on providing patients with easy and timely access to their health records.

Family Dental Care, PC

READ MORE: Senators Once Again Ask HHS to Update HIPAA, Citing Patient Privacy Concerns

Chicago-based Family Dental Care, PC (FDC) agreed to pay $30,000 and implement a corrective action plan to resolve potential HIPAA violations.

In August 2020, OCR received a complaint from a former FDC patient. The patient alleged that she requested her complete medical records from FDC in May 2020, but only received certain portions.

After OCR launched an investigation, FDC provided the patient with the missing records in October 2020.

“Thus, FDC did not provide a complete copy of the records until more than five months after the request was made,” OCR explained.

“OCR's investigation determined that FDC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.”

READ MORE: OCR Settles Improper PHI Disposal Case, Resolves Potential HIPAA Violation

Under its corrective action plan, FDC must develop and maintain written access policies and procedures that comply with HIPAA. In addition, FDC must distribute those policies to members of its workforce and provide HHS with training materials regarding patient access to medical records. Among other provisions, FDC also agreed to submit implementation reports to HHS summarizing the status of its policy and procedure implementation.

Great Expressions Dental Center of Georgia, PC

OCR’s investigation into Great Expressions Dental Center of Georgia, PC (GEDC-GA) found that the practice potentially committed a HIPAA violation by failing to provide timely access to records. As a result of the investigation, GEDC-GA agreed to pay $80,000 and implement a corrective action plan.

According to the resolution agreement, a patient filed a complaint with OCR in November 2020 stating that GEDC-GA would not provide the patient with copies of her medical records because she would not pay the practice’s $170 copying fee.

“The individual first requested her records in November 2019, but did not receive them until February 2021, over a year later,” OCR noted.

“OCR's investigation determined that GEDC-GA’s failure to provide timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision.”

READ MORE: NIST Updates Healthcare Cybersecurity, HIPAA Security Rule Guidance

The HIPAA Privacy Rule does permit covered entities to impose a reasonable fee, but that fee must only cover the cost of labor for copying, supplies for creating the paper copy or electronic media, postage, and preparation of a summary of the PHI.

“The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law,” OCR’s guidance states.

GEDC-GA agreed to a standard corrective action plan, agreeing to maintain access policies and submit those policies to HHS for approval within 60 days.

Paradise Family Dental

B. Steven L. Hardy, DDS, LTD, doing business as Paradise Family Dental agreed to implement a corrective action plan and pay $25,000 to settle a potential HIPAA right of access provision violation.

The Las Vegas, Nevada-based practice allegedly failed to provide an individual with timely access to her and her child’s health records.

The complainant inquired about receiving her and her child’s medical records on April 11, 2020. The complainant received a response from Paradise on April 14, explaining that the office was closed. The practice offered to send the documents by email upon confirmation of the email account.

The complainant confirmed the email address and made multiple subsequent requests, the resolution agreement stated. However, Paradise then required the complainant to submit a written request.

“Complainant submitted a written request with her handwritten signature on December 4, 2020, and the Practice sent Complainant copies of her and her minor child’s PHI on December 31, 2020,” OCR stated.

OCR’s investigation indicated that the practice had not provided timely access to the patient’s medical records.

In addition to the $25,000, Paradise Family Dental agreed to a corrective action plan that included implementation reports, annual reports, and the distribution of updated policies and procedures surrounding right of access.