Written in collaboration with Melissa Chaplik, JD Candidate 2024
Dentists take note: HIPAA most likely applies to your practice (and it has for the last 20 years).[i] Doing things like blasting a patient in response to a negative review on-line, using patient data for a political campaign, and ignoring correspondence from regulators is bad (i.e., violates HIPAA). It will cost money and bring unwanted publicity. It could also make you a candidate for DMC Law’s annual “Not the Brightest Bulb in the Box” award.
Dentists stole most of the attention in the enforcement show this year. Eight of the 22 announced HIPAA enforcement action resolutions in 2022 featured dentists and as noted above, three of those involved shocking facts. While not as sexy because it is old news, the real star continues to be HIPAA’s Right of Access, accounting for more than 75% of all 2022 enforcement matters.
In all, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced the resolution of 22 HIPAA enforcement actions totaling $2,170,140 in settlement or penalty amounts. When compared to 2019, the last year not dominated by Right of Access matters, the total settlement and penalty amounts is down more than $10 million, but the number of resolutions has more than doubled.
The reason: Right of Access matters generate much lower settlement and penalty amounts than the six and seven-figure HIPAA Security Rule matters, of which there was only one in 2022. Notably, that settlement accounts for more than half of the total for the entire year.
Finally, 2022’s enforcement year also included more matters involving HIPAA Privacy Rule violations that should not be happening two decades after HIPAA took effect. I allude to two of those in the introduction, but there are others.
Before we dig into the 2022 matters, it is worth doing a side-by-side comparison of HIPAA enforcement efforts since 2019 (the last time Right of Access was not the star of the show).
2022 | 2021 | 2020 | 2019 | |
Announced Resolutions | 22 | 14 | 19 | 10 |
Amount collected | $2,170,140 | $5,982,150 | $13,554,900 | $12,274,000 |
Civil Money Penalties (CMPs) v. Settlements | 2 CMP; 20 settlements | 1 CMP; 13 settlements | All settlements | 2 CMPs; 8 settlements |
Most common issue | Right of Access (17) | Right of Access (12) | Right of Access (11) | Risk Analysis (6) |
Right of Access | $859,000 (17) | $857,150 (12) | $537,500 (11) | $170,000 (2) |
Risk Analysis | $875,000 (1) | $5,125,000 (2) | $10,977,400 (6) | $8,365,500 (6) |
Below we explore the 17 Right of Access matters, the sole HIPAA Security Rule resolution and the four matters resulting in the bestowing of multiple “Not the Brightest Bulb in the Box” awards.
Right of Access
The number of Right of Access matters continues to climb as do the settlement and penalty amounts. By way of background, under the HIPAA Privacy Rule, a patient has the right to access his or her own records.[ii] In 2019, OCR announced that it would prioritize claims involving individuals’ right to access their records in accordance with the HIPAA Privacy Rule. Since then, OCR has resolved a total of 42 Right of Access claims – more than any other category of HIPAA enforcement over that same period.
The Right of Access story in 2022 is much the same as in 2020 and 2021. Virtually all matters begin with a patient complaint and involve a healthcare provider’s failure to follow the Privacy Rule’s Right of Access requirements. The stories are almost always the same and include a failure to provide records, not timely providing records or charging too much for access. In keeping with the Year of the Dentist theme, dentists account for more than 30% of the Right of Access matters.
Here is a summary of the 17 Right of Access enforcement actions that OCR resolved in 2022.
Date | Entity | Amount | Facts |
3/28/2022 | Dr. Donald Brockley, D.D.M.
(PA) |
$30,000 | A dentist settled claims that it failed to provide a patient with a copy of their medical record. OCR sent a letter to the provider with preliminary indications of non-compliance to which there was no reply. After being issued a Notice of Proposed Determination with a CMP of $104,000, the parties settled for $30,000.
|
3/28/2022 | Jacob and Associates
(CA) |
$28,000 | A psychiatric medical provider settled claims that it failed to provide timely medical records requested via mail each year from 2013 to 2018. The provider eventually provided incomplete records after requiring the patient to travel to the provider’s office to complete a form and imposed a flat fee not based on reasonable costs ($25). |
7/15/2022 | ACPM Podiatry
(IL) |
$100,000 (CMP) | ACPM failed to provide a former patient’s requested medical records. Provider received written technical assistance regarding the right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records after numerous requests. ACPM did not respond to multiple data requests or notices from OCR and OCR imposed a CMP. |
7/15/2022 | Associated Retina Specialists
(NY) |
$22,500 | The provider settled claims that it failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the complainant’s first written request. |
7/15/2022 | Lawrence Bell, DDS
(MD) |
$5,000 | A dental practice settled claims that it failed to provide timely access to a patient’s medical record. |
7/15/2022 | Coastal ENT
(FL) |
$20,000 | The provider settled claims that it failed to provide timely access to medical records after multiple requests from a patient. |
7/15/2022 | Danbury Psychiatric Consultants
(MA) |
$3,500 | The provider settled claims that it failed to respond timely to a complainant’s access request and withheld the patient’s access because the patient had an outstanding balance and provider required a signed authorization. |
7/15/2022 | Erie County Medical Center
(NY) |
$50,000 | A medical center settled claims that it failed to timely provide an individual with a complete copy of his medical records. |
7/15/2022 | Fallbrook Family Health Center
(NE) |
$30,000 | The provider settled claims that it failed to provide timely access to medical records. |
7/15/2022 | Hillcrest Nursing and Rehab
(MA) |
$55,000 | The provider settled claims that it failed to provide an individual’s personal representative with timely access to her son’s medical records. |
7/15/2022 | Melrose Wakefield Healthcare
(MA) |
$55,000 | The provider settled claims that it did not provide a personal representative with timely access to medical records on the mistaken basis that their durable power of attorney document did not allow such access. |
7/15/2022 | Memorial Herman Health System
(TX) |
$240,000* | A not-for-profit health system settled claims that it failed to respond timely to a complainant’s access request. *This is the largest Right of Access settlement to date. |
7/15/2022 | Southwest Surgical Associates
(TX) |
$65,000 | A group practice settled claims that it failed to provide timely access to an individual’s records. |
9/20/2022 | Family Dental Care, PC
(IL) |
$30,000 | The dental provider settled claims that it failed to provide a former patient with timely access to her complete medical records (it allegedly did not provide a complete copy of the records until more than five months after the request). |
9/20/2022 | Great Expressions Dental Center of GA, PC
(GA) |
$80,000 | The dental provider settled claims that it would not provide an individual with copies of her medical records because she would not pay a $170 copying fee and that the individual did not receive the records until over a year later. |
9/20/2022 | B. Steven L. Hardy, DDS (Paradise Family Dental)
(NV)
|
$25,000 | The dental provider settled claims that it failed to provide a mother with copies of her and her minor child’s protected health information (PHI) after multiple requests and it did not send the records until more than eight months after the initial request. |
12/15/2022 | Health Specialists of Central Florida Inc.
(FL) |
$20,000 | The provider settled claims that it failed to provide a daughter acting as a personal representative on behalf of her deceased father with timely access to requested medical records, despite multiple requests. |
The providers above could have avoided all these enforcement actions by adhering to the relatively straightforward Right of Access rules and following best practices. We provide a basic overview of the Right of Access rules in our short video series available through this link. As for best practices, I outline them every year. Here are the highlights, which are spelled out in more detail in last year’s summary.
- Timely respond to all patient records requests and communicate with patients when there is a delay.
- Take all communications received from OCR seriously and respond when required.
- Treat personal representatives of patients appropriately.
- Be sure not to overcharge for copies of medical records (charge only a reasonable cost-based fee).
- Avoid a defensive reaction to requests to send records to legal counsel.
- Review all policies and procedures related to the Right of Access requirements and ensure that staff are trained to address requests appropriately.
HIPAA Security Rule
In typical fashion, the largest resolution amount of the year was for an alleged HIPAA Security Rule violation. Oklahoma State University reported that an unauthorized third party gained access to a web server which allowed the disclosure of 279,865 individuals’ PHI. Upon investigation, OCR found multiple potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. This matter resulted in a settlement amount of $875,000 as well as the implementation of a robust corrective action plan.
There is nothing particularly remarkable here except that it serves as a reminder that even when a covered entity is the victim of a cybercrime that compromises PHI, it must report the incident to OCR. If it decides to investigate, OCR will examine compliance across the board, and it will especially look for evidence of a compliant risk analysis. Far too many covered entities (and business associates) have not performed an adequate security risk analysis. A cyber incident will highlight that fact and likely result in a hefty settlement or penalty.
2022 Not the Brightest Bulb in the Box Award Winners
It was just too hard to choose. So here are your four winners for 2022:
- A dental practice in North Carolina inappropriately responded to a patient’s negative on-line review on Google. The full post is worth a read and can be found in an earlier article, but it’s too good not to share some of it here. After disclosing many details about the patient’s care, the dentist writes: “it’s obvious that [patient’s full name] level of intelligence is in question and he should continue with his manual work . . . Making derogatory statements will not enhance your reputation in this era [patient’s full name]. Get a life.” Not surprisingly, this dentist did not cooperate with OCR and ended up paying a $50,000 penalty.
- OCR received a complaint that New Vision Dental (NVD) continuously disclosed patients’ PHI when responding to reviews on Yelp. The PHI included full patient names and detailed information about visits and insurance that the patient did not disclose in the initial review. NVD settled the matter for $23,000 and entered a corrective action plan.
- A dentist in Northcutt Dental-Fairhope, LLC’s Alabama practice decided to run for state senate. He provided a database of 3,657 patients to his campaign manager to send out campaign letters. Later, he again used that database to send campaign-related emails purporting to be from the dental practice. The practice agreed to settle the matter for $62,500 and to implement a corrective action plan.
- New England Dermatology and Laser Center (NEDLC) improperly disposed of PHI when it threw out empty, labeled specimen containers with regular trash. On March 31, 2021, a security guard came across a specimen container in the parking lot of NEDLC. The PHI on the specimen label included patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen. This practice persisted for more than 10 years. It resulted in a $300,640 settlement and a corrective action plan.
No analysis required here. Don’t do these things. And congratulations to the award recipients and thanks for providing such good material.
Conclusion
Right of Access enforcement is not going away. The coming changes to HIPAA will involve enhancements to patients’ access rights and OCR will continue to vigorously enforce those rules. Also, for dental practices subject to HIPAA, it is time to step up your HIPAA compliance game.
Finally, while there was only one resolution involving the HIPAA Security Rule in 2022, cyber security incidents in healthcare are at an all time high. It is important to perform a risk analysis, not just to avoid enforcement, but hopefully, to avoid a cyber incident in the first place. As with last year, I’ll end with more good advice from Benjamin Franklin, “by failing to prepare, you are preparing to fail.”
[i] Generally speaking, if a dental practice accepts and processes insurance claims (private or government), it is a covered entity under HIPAA. See HHS’s covered entity decision tool for more information.
[ii] 45 CFR § 164.524.