Three Dentists and a Psychiatrist Walk into a Bar: Four HIPAA Enforcement Actions that are No Joke

Three dentists and a psychiatrist walk into a bar . . . and they each walk out with a five-figure tab for HIPAA compliance failures.  It’s not funny, but the five-figure payment part is true and there’s a lot to be learned from their mistakes.

The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, announced the first HIPAA enforcement resolutions of the year yesterday (one of the resolutions was signed in December 2021, but OCR just released the details).  Two of the four centered on Right of Access issues and the other two resulted from inappropriate disclosures of patient information.

The first involved a solo dental practitioner in Pennsylvania, Dr. Donald Brockley, D.D.M.  OCR provides no details other than the dentist failed to provide a patient with a copy of their medical record.  The real story here is in the enforcement.  According to the settlement agreement, OCR sent a letter in August 2019 with “preliminary indications of noncompliance” and provided an opportunity to submit evidence of mitigating factors or defenses.  The dentist did not reply.

On November 3, 2020, OCR notified the dentist that it was imposing a civil monetary penalty (CMP) of $104,000.  Dr. Brockley requested a hearing and the parties ultimately settled for $30,000.

These facts are notable for a couple reasons.  First, this solo practitioner did not get a technical assistance letter about Right of Access compliance, which had been common for smaller providers faced with Right of Access enforcement.  Second, the six-figure size of the CMP is a signal to other providers of what to expect when you ignore OCR.

Next, a dental practice in North Carolina, Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), inappropriately responded to a patient’s negative on-line review on Google.  The responsive post from UPI is too good to paraphrase.  Here’s the post in its entirety.

“It’s so fascinating to see [patient’s full name] make unsubstantiated accusations when he only came to my practice on two occasions since October 2013. He never came for his scheduled appointments as his treatment plans submitted to his insurance company were approved.  He last came to my office on March 2014 as an emergency patient due to excruciating pain he was experiencing from the lower left quadrant.  He was given a second referral for a root canal treatment to be performed by my endodontist colleague. Is that a bad experience?  Only from someone hallucinating.  When people want to express their ignorance, you don’t have to do anything, just let them talk. He never came back for his scheduled appointment Does he deserve any rating as a patient?  Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations.  From the foregoing, it’s obvious that [patient’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [patient’s full name].  Get a life.”

This is precisely how NOT to respond to an on-line review.

But the story doesn’t end there.  According to OCR, UPI did not respond to OCR’s data request, it ignored OCR’s demand to remove the post, it did not respond to OCR’s subpoena, and it waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination.  In correspondence with OCR about a request for financial information, UPI responded “I will see you in court.”  Ultimately, OCR assessed a $50,000 civil money penalty (CMP).  There was no court date because UPI waived its right to hearing.

Rounding out the trifecta of dental providers featured in OCR’s announcement is Northcutt Dental-Fairhope, LLC, a dental practice in Alabama.  A dentist in the practice decided to run for state senate.  He provided a database of 3,657 patients to his campaign manager to send out campaign letters.  The letters started with “Dear Valued Patient.”  Later, he again used that database to send campaign related emails purporting to be from the dental practice.  Clearly, this dentist has never attended a single HIPAA training.  The practice agreed to settle the matter for $62,500 and to implement a corrective action plan.

Finally, a psychiatric provider, Jacob and Associates, made several Right of Access mistakes with the same patient.  The California-based provider ignored a patient’s written request for copies of her records made annually since 2013.  In 2018, the patient resubmitted her 2018 request via fax and requested her records be sent by email.  The provider finally responded but required her to travel to its office to complete a right of access form.  It then imposed a flat fee of $25 for the records, which was not based on reasonable costs, and initially provided an incomplete set of records.  The provider agreed to settle the matter for $28,000 and to implement a corrective action plan.

For direction on how to appropriately handle a request for records under HIPAA’s Right of Access Rule, view Episode 4 of my six-part Right of Access short video series (Episodes 5 and 6 will be released in early April).  Tips on best practices for Right of Access compliance are also in my annual report on HIPAA enforcement actions, as Right of Access continues to be the hottest area of enforcement.

Without question, the providers in this enforcement announcement are all in the running for the “Not the Brightest Bulb in the Box” award that I bestow on the most deserving covered entity or business associate at the end of each enforcement year.  But it’s early in the year.  Other viable candidates may be coming.