OCR steps up HIPAA enforcement, with 4 news providers facing settlements

The HHS Office for Civil Rights this past week announced the outcomes of three HIPAA investigations brought another matter before a judge, signaling a continued prioritization of patients’ rights to privacy health data access under the law.

Two of these cases are part of OCR’s HIPAA Right of Access Initiative, two are enforcement actions resulting from impermissible disclosure of patients’ protected health information. Three of them involve dental practices.

  • Jacob Associates, a psychiatric medical services provider with two office locations in California, said it would take corrective actions pay $28,000 to settle potential violations of the HIPAA Privacy Rule, according to OCR, including provisions of the right of access standard.
  • Northcutt Dental, an Alabama-based practice is alleged to have impermissibly disclosed its patients’ PHI to a campaign manager a third-party marketing company hired to help with a state senate election campaign. It as agreed to take corrective action pay $62,500 to settle potential violations of the HIPAA Privacy Rule, says OCR.
  • Dr. Donald Brockley, a solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record, OCR alleges. Brockley requested a hearing before an Administrative Law Judge; the litigation was resolved before the court made a determination by a settlement agreement in which Brockley agreed to pay $30,000 take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
  • Dr. U. Phillip Igbinadolor, DMD & Associates, a North Carolina dental practice, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review, OCR alleges. The practice also did not respond to the OCR’s data request, nor responde or objected to an administrative subpoena waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.

The two new right of access settlements bring the total number of  enforcement actions to 27 since the initiative began in 2019. Over the past three years OCR has collected more than two-dozen settlements, usually in the tens of thousands of dollars, as it promised to “vigorously enforce” the patients’ right to access their data in a timely fashion without being overcharged.

Still some patients are still forced to sue to gain access to their own healthcare data. Sometimes, the hindrances are deliberate. Oftentimes, they come from providers’ misunderstanding of what the HIPAA Privacy Law stipulates.

Click here for a podcast interview with healthcare privacy attorney Matthew Fisher, who discussed somee proposed HIPAA changes spoke in-depth about OCR’s continued emphasis on patient right of access. 

“Between the rising pace of breaches of unsecured protected health information continued cybersecurity threats impacting the healthcare industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino, in a statement announcing the new enforcements. “OCR will continue our steadfast commitment to protect individuals’ health information privacy security through enforcement, we will pursue civil money penalties for violations that are not addressed.”

Twitter: @MikeMiliardHITN
Email the writer: [email protected]

Healthcare IT News is a HIMSS publication.

Source link