On March 28, 2022, Health and Human Services, Office for Civil Rights (OCR) announced the resolution of four enforcement actions, three resolved in 2021 and one resolved in 2022. There are some interesting aspects of this group of covered entities. Three of the actions pertained to dental practices. One of those dental practices took the rare approach of never responding to OCR’s data request, never acknowledging or responding to OCR’s administrative subpoena, and then did not contest OCR’s findings in the Notice of Proposed Determination. Another dental practice used its patient list to fundraise for an unsuccessful state senate campaign.

Less unusual, however, are the HIPAA Privacy Rule violations that the settlements focus on, which underscore the continued importance of (and OCR’s attention to) the following practices:

  • Timely responding to and fulfilling patients’ access requests, and charging appropriate cost-based fees only.
  • Ensuring employee training and HIPAA policies and procedures are implemented and well documented.
  • Naming a privacy official within the covered entity’s workforce.

Impermissible Disclosures

For the first dental practice matter, the facts stated in OCR’s October 2020 Notice of Proposed Determination are unusually colorful. Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI) is a solo dental practice with two offices in North Carolina. After being seen by UPI in 2013 and 2014, a patient, using a pseudonym, posted a negative review on UPI’s Google business page. UPI replied to the negative review using the patient’s full name, providing details of the patient’s medical complaints and treatment history, and questioning the patient’s intelligence. Two weeks later, in November 2015, the patient filed a complaint with OCR. OCR notified UPI of its investigation and issued a data request in 2016.

The data request asked for copies of UPI’s policies and procedures on responding to patient reviews on online platforms, its general policies and procedures around uses and disclosures of protected health information (PHI) and the safeguarding of PHI, and documentation of HIPAA training. UPI responded five days later acknowledging that it posted the negative review and providing OCR with its Notice of Privacy Practices, but did not provide any of the other requested documentation. Despite further requests from OCR to do so, UPI did not remove the response to the negative review from Google and provided only summary records of training, without details of content.

In September 2017, OCR requested that UPI provide its financial statements so OCR could determine UPI’s ability to comply with the imposition of a Civil Monetary Penalty (CMP). UPI responded the next day, stating it would not provide financial documents because they “do not relate to HIPAA.” OCR responded, providing the relevance for the request, to which UPI answered, “I’ll see you in court.” Thereafter, OCR served UPI with an administrative subpoena. UPI did not respond. OCR mailed a Letter of Opportunity to UPI in 2019, to which, again, UPI did not respond. The October 2020 Notice of Proposed Determination to impose a CMP followed.

OCR determined that the Google post (and the refusal to remove the posting despite being told it was a violation) constituted one violation and “that the appropriate penalty tier for this violation is willful neglect not corrected.” The total CMP finally assessed on June 1, 2021, was $50,000.

In another unusual case, David Northcutt of Northcutt Dental-Fairhope LLC (Northcutt Dental) leveraged his patient list to advertise his campaign for an Alabama state senate seat. It is not clear what prompted OCR to investigate, but its investigation was fruitful. OCR discovered that in July 2017, “Dr. Northcutt provided an [E]xcel spreadsheet to [his] Campaign Manager which contained the names and addresses of 3,657 patients of Northcutt Dental.” The campaign manager sent letters to these patients announcing Dr. Northcutt’s run for state senate on campaign letterhead.

Then, in or around April 2018, a new patient list was provided to a third-party marketing firm to use in sending campaign-related emails. This new list contained information for the same patients who received the July 2017 letter plus an additional 1,727 patients. OCR determined that the disclosure to the campaign manager and the marketing firm were each impermissible disclosures. In addition, OCR identified that Northcutt Dental had failed to identify a privacy official and did not maintain policies and procedures related to the Privacy or Breach Notification Rules as required by HIPAA. For these violations, OCR and Northcutt Dental agreed to a resolution amount of $62,500.

Right of Access Enforcement Actions

Right of access continues to be a major focus for OCR, as the number of Enforcement Actions related to right of access issues rises to 27 with the newly announced cases.

In one of these settlements, OCR initially reached a resolution amount of $104,000 with a solo dentist practice, the Office of Donald Brockley, D.M.D. (Dr. Brockley). The settlement stemmed from a compliance review that appears to have been initiated in 2019 as a result of Dr. Brockley failing to respond to a patient’s record request. A CMP was issued in November 2020, and in January 2021 Dr. Brockley requested a hearing before an administrative law judge (ALJ). In early October 2021, OCR and Dr. Brockley filed a joint motion to stay the ALJ proceedings to provide time for the parties to resolve their dispute. It appears the negotiations worked, as a resolution settlement amount with Dr. Brockley was reduced to $30,000, which was finalized on Dec. 8, 2021.

Along with payment of the resolution amount, Dr. Brockley also agreed to (1) implement and distribute HIPAA policies and procedures to all workforce members; (2) provide an attestation of distribution to OCR; (3) conduct training on the policies and procedures; and (4) provide OCR with documentation of the training provided to employees, including content, provider of training, dates of training, length of training and topic covered.

In the other Right of Access settlement, Jacob & Associates, a psychiatric medical services provider with two office locations in California, agreed to pay a settlement amount of $28,000. The investigation began as a result of a complaint made to OCR in 2018. Unlike Dr. Brockley, Jacob & Associates provided access to the requested records (11 pages), but it did so in ways that were problematic and burdened the patient:

  • Jacob & Associates required the patient to travel to its office to fill out the access request form.
  • The office imposed a flat fee that was not cost-based ($25 per medical record request).
  • The office took nearly a year to fulfill the request.

Adding to Jacob & Associates’ problems, during the course of the investigation, OCR determined that it had not designated a privacy official and its Notice of Privacy Practices lacked required content. Jacob & Associates entered into a corrective action plan (CAP) that requires it to implement and distribute policies and procedures and to train staff, providing proof of doing so to OCR. Jacob & Associates must also appoint a privacy official and amend its Notice of Privacy Practices to address right of access procedures as part of the CAP.