The Office for Civil Rights of the Department of Health and Human Services announced its first HIPAA violation cases of 2022 against four separate provider officers for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, including the right of access to protected health information.
In addition to Dr. Donald Brockley, a dental practitioner in Pennsylvania, HIPAA violation fines were seen in settlements reached with North Carolina-based Dr. U Phillip Igbinadolor, D.M,D, (UPI); California-based Jacob and Associates, a provider of mental health services; and Alabama-based Northcutt Dental-Fairhope, a dental practice in Fairhope and the surrounding area.
In a statement, OCR Director Lisa Pino stated that the purpose of these enforcement proceedings is to hold healthcare providers accountable for their HIPAA compliance. According to Pino, "Given the increasing frequency of data breaches of unprotected protected health information and the ongoing cybersecurity dangers affecting the healthcare industry, it is imperative that HIPAA covered entities take their HIPAA compliance responsibilities seriously." she added. The Office of Civil Rights is dedicated to preserving health information through its enforcement of privacy and security infractions, which includes the prosecution of civil money penalties for violations that go undetected.
Two of the settlements are related to alleged violations of the HIPAA right of access standard, according to the agreements.
Since the introduction of the OCR program in 2018, which aims to guarantee that patients have timely access to their medical information, 27 providers have faced HIPAA penalties and reached a settlement with the agency over potential right of access failures, according to the organization.
The Office of Consumer Rights has reached a settlement with a dental professional who was enraged by a poor review. The Office of Civil Rights (OCR) fined UPI $50,000 in civil monetary penalties after the company failed to respond to an OCR data request and an administrative subpoena. UPI likewise neglected to raise any objections to OCR's conclusions. The settlement and findings are the result of an unusual incident that occurred in 2015.
During the years 2013 and 2014, a patient came to UPI for dental treatment. In 2015, the patient used a pseudonym to publish a bad review of UPI on Google, which was later removed. UPI responded to the unfavorable review many weeks later, in the process releasing the patient's name and protected health information, which was a data breach and against the law at the time.
The patient was identified in the UPI post, who accused them of making "unsubstantiated claims" against him because he had only visited the practice on two occasions since October 2013. UPI went on to describe each appointment as well as the nature of those treatments, allegedly disparaging the patient and his IQ in preparation for the investigation.
A patient complaint was filed with the Office of Civil Rights, stating that UPI had violated his rights under the HIPAA Privacy Rule. UPI was notified by OCR of the audit, and the agency requested information about the provider's policies and processes for responding to patient reviews online, PHI use and disclosures, PHI safeguards, and proof of HIPAA training. The inquiry was begun the next year.
However, while UPI admitted that it replied to the patient's negative review and provided its Notice of Privacy Practices to the Office of Civil Rights (OCR), it failed to furnish the agency with any training documents, rules, or procedures.
After reviewing UPI's online response to the review, OCR determined that it "constituted an unlawful disclosure of PHI," and that UPI should "immediately remove" its response. UPI was also advised that "it should, if it did not already have such rules and procedures, adopt policies and procedures connected to the disclosure of protected health information, and more specifically with regard to the sharing of protected health information on social media."
What followed was a year-long battle between UPI and the regulator, which included OCR requests for copies of UPI's policies and procedures for social media use in connection with the disclosure of protected health information (PHI) and whether UPI had removed its response to the negative review from its website.
Despite the fact that UPI sent an acknowledgement of training, it did not include any materials describing the substance of the training session. "The response remains public as of the date of this warning," the dentist said of his failure to remove the PHI from his Google profile page. The provider has not yet submitted its social media rules and procedures to the Office of Consumer Rights.
The Office of Civil Rights (OCR) stated that the reaction to the patient's negative review was in violation of the HIPAA Privacy Rule and attempted to get financial data from UPI in order to adequately establish the amount of the civil monetary penalty, which was a factor in these decisions.
However, the provider declined to participate, stating that "the requested records will not be provided since they 'do not relate to HIPAA.'" This stance is alarming given the increasing number of hipaa violation cases we're seeing. The Office of Civil Rights (OCR), responsible for overseeing hipaa penalties and ensuring hipaa covered entities are compliant, again clarified the objective of the requests, leading to further refusals to participate and the statement: "I will see you in court."
In light of the rising number of hipaa violations and the subsequent hipaa fines, the OCR's diligence is unsurprising. UPI was served with a subpoena by the Office of Civil Rights in November 2017, requesting the pertinent records. One might wonder if such staunch non-compliance could lead to a hefty hipaa violation fine.
According to HIPAA, "A covered entity must cooperate with OCR if OCR conducts an investigation or compliance review." This emphasizes the importance of understanding HIPAA regulations for all health plans and entities that fall under hipaa regulated guidelines.
The enforcement action highlighted UPI's alleged non-cooperation. This case is just one of the many violation cases that underscore the importance of adherence to HIPAA's mandates regarding policies, procedures, and practices.
Fast forward to another situation, Brockley Dental faced severe penalties stemming from common hipaa violations. They settled with the Office of Civil Rights for $30,000 and entered into a corrective action plan after an audit into a patient's complaint revealed non-compliance. In 2020, the Department of Health and Human Services (HHS), which oversees these penalties for hipaa violations, issued a potential hipaa violation fine of $104,000 due to the access failure. However, after extensive deliberation, the penalty saw a significant reduction.
The agreement necessitated Brockley to implement and disseminate comprehensive HIPAA policies and procedures, ensuring they understand and respect the right of access requirements. Moreover, all employees were to be trained, a crucial step in minimizing future hipaa violations.
Another case in the spotlight involved Jacob and Associates, which had its share of data breach issues. After failing to respond to a patient's repeated requests for access to her medical records, they were required to pay $28,000 to the Office of Civil Rights. Such instances serve as a stark reminder of the consequences of not adhering to the HIPAA privacy and security standard.
Further, the study found that the provider lacked a designated privacy officer, a critical role in ensuring compliance with HIPAA regulations. The absence of such an official can lead to increased chances of data breaches.
In a separate case, Northcutt Dental-Fairhope found themselves embroiled in a scandal for suspected violations of the HIPAA Privacy Rule. This instance was particularly alarming because it appeared that the provider used the data for personal gain. Dr. Northcutt's decision to share patient information with his campaign manager raised eyebrows and led to hefty fines.
To conclude, these highlighted cases emphasize the significance of HIPAA regulations and the potential ramifications for hipaa covered entities that don't adhere. Any misstep, whether intentional or accidental, can lead to severe penalties. Moreover, any investigation by the OCR, even if initiated for a minor complaint, can unearth a plethora of other HIPAA-related discrepancies.
