OCR Announces Four HIPAA Enforcement Actions

March 28, 2022 - The HHS Office for Civil Rights (OCR) announced four HIPAA enforcement actions to hold healthcare providers accountable for potential HIPAA violations. Two of the actions stemmed from OCR’s HIPAA Right of Access Initiative, bringing the total number of enforcement actions to 27 since the initiative began in 2019.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” Lisa J. Pino, OCR’s director, stated in the announcement.

“OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

PA Doctor Agrees to Pay $30K to Settle HIPAA Right of Access Allegations

Donald Brockley, DDM, agreed to pay $30,000 and take corrective actions to resolve allegations of a HIPAA Right of Access failure. The solo dental practitioner, based in Butler, Pennsylvania, allegedly failed to provide a patient with a copy of their medical record.

HHS first notified Brockley of preliminary indications of noncompliance in August 2019, the settlement stated. In November 2020, HHS imposed a $104,000 civil monetary penalty against Brockley.

READ MORE: OCR Provides Tips for Fending Off Common Healthcare Cyberattacks

But in January 2021, Brockley requested a hearing before an Administrative Law Judge to challenge the penalty. The hearing resulted in a lower civil monetary penalty amount but still required Brockley to implement new training practices.

“On or before December 9, 2021, Dr. Brockley agrees to implement and distribute its HIPAA policies and procedures, including the Privacy Rule’s requirements concerning an individual’s right of access to Protected Health Information (“PHI”), to all members of its workforce, train each workforce member on such policies and procedures, and provide the Complainant with her entire designated record set,” the settlement stated.

Brockley also agreed to provide HHS with copies of all training materials and proof that the complainant’s records were delivered successfully.

NC Dentist Discloses PHI on Webpage After Negative Review, Faces $50K Penalty

OCR imposed a $50,000 civil penalty on U. Phillip Igbinadolor, DMD & Associates, P.A. (UPI) after the dental practice impermissibly exposed a patient’s PHI on a webpage in response to the patient’s negative online review written in 2015.

The North Carolina dental practice did not respond to OCR’s initial data request or administrative subpoena, and subsequently waived its rights to a hearing by not contesting OCR’s findings in its Notice of Proposed Determination.

READ MORE: OCR Director Urges Healthcare to Prioritize Cybersecurity This Year

The Notice of Proposed Determination stated that the issue stemmed from a 2015 complaint on Google reviews. The complainant, who used a pseudonym in their review, visited UPI’s office twice from 2013 to 2014.

In 2015, UPI responded to the negative review on Google. UPI wrote:

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved. He last came to my office on March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant. He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience? Only from someone hallucinating. When people want to express their ignorance, you don't have to do anything, just let them talk. He never came back for his scheduled appointment Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it's obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [Complainant’s full name]. Get a life.

After the complainant brought the incident to OCR’s attention in 2015, OCR made numerous requests for data and supporting documents. To date, UPI has not responded to OCR’s administrative subpoena requesting that UPI provide its policies and procedures relating to the HIPAA Privacy Rule. In June 2021, OCR issued its notice of final determination and imposed a $50,000 penalty and corrective action plan.

Psychiatric Provider Pays $28K to Settle Alleged HIPAA Right of Access Violations

California-based psychiatric provider Jacob & Associates agreed to pay a $28,000 penalty and take corrective actions to settle alleged violations of the HIPAA Privacy Rule.

READ MORE: OCR Settles 5 HIPAA Right of Access Cases

OCR received a complaint in November 2018 alleging that Jacob & Associates had failed to provide medical records to a patient who requested them each year from 2013 to 2018. The complainant said that she had mailed letters to Jacob & Associates on July 1 of each year requesting a copy of her medical records and never received a response.

In 2019, Jacob & Associates finally provided the complainant with a copy of her medical records, only after the complainant traveled to the office and paid a fee for the records. OCR later found that Jacob & Associates had not designated a privacy official, and its privacy practices lacked HIPAA-required content.

Jacob & Associates did not admit to the violations but agreed to pay HHS $28,000 and implement a corrective action plan.

AL Dental Practice Allegedly Disclosed PHI to Third-Party Marketing Company

OCR issued a $62,500 penalty to Northcutt Dental-Fairhope, LLC to settle alleged violations of the HIPAA Privacy Rule.

In 2017, David Northcutt, owner of Alabama-based Northcutt Dental, intended to run for state senator for District 32 in Alabama. Northcutt allegedly gave an excel spreadsheet to his campaign manager containing the names and addresses of 3,657 patients.

The campaign manager allegedly mailed letters to the patients announcing Northcutt’s run for senate. In 2018, Northcutt allegedly engaged a third-party marketing company, Solutionreach, to send emails to 5,385 patients for the same purpose.

OCR’s investigation alleged that Northcutt violated HIPAA by disclosing names and addresses to a third-party entity that was not covered by HIPAA.

Although Northcutt Dental did not admit any wrongdoing, the practice agreed to pay $62,500 to resolve the allegations. Northcutt Dental also agreed to a corrective action plan to ensure future HIPAA compliance.