SHARE

FEATURED STORY March 31, 2022

HHS Announces Four HIPAA Compliance Enforcement Actions With Health Care Providers

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all Law.com OnPractice content. Your subscription is free.
Subscribe Now

On March 28, 2022, the United States Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") announced the resolution of three investigations and one matter before an Administrative Law Judge related to compliance with the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule.  ​

What You Need to Know:

  • Each of these actions involved small health care practices or sole practitioners.  
  • Health care providers of every size (not just hospitals and health systems!) and their business associates should see these enforcement actions as a reminder of the importance of complying with HIPAA.  

    Two of the matters relate to OCR's HIPAA Right of Access Initiative (the "Initiative"). The Initiative supports individuals' right to easily and timely access their health records at a reasonable cost under the HIPAA Privacy Rule. Including these two matters, there have been 27 OCR enforcement actions through the Initiative. The two additional enforcement actions announced involved health care providers accused of improperly sharing patient information with third parties. Each of these actions is summarized below.
     
    Dr. Donald Brockley, D.D.M.
    Dr. Brockley is a solo dentist in Butler, Pennsylvania. Dr. Brockley failed to provide a patient with a copy of their medical record and HHS notified Dr. Brockley that it was imposing a $104,000 civil money penalty. Dr. Brockley requested a hearing before an Administrative Law Judge and the dispute was resolved by a settlement agreement in which Dr. Brockley agreed to pay $30,000 and institute corrective actions, including ensuring policies and procedures and training were provided to all workforce members, and otherwise to comply with the HIPAA right of access standard.  
     
    Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI)
    UPI is a North Carolina dental practice. UPI impermissibly disclosed a patient's name and protected health information as part of a lengthy reply on UPI's Google review page in response to a negative online review. UPI ended its online post by suggesting that this patient "Get a life." UPI did not respond to OCR's data request or to a subsequent administrative subpoena. UPI waived its rights to a hearing by not contesting the findings in OCR's Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.    
     
    Jacob & Associates
    Jacob & Associates is a sole proprietor psychiatric services provider in California. A complainant alleged that on July 1 of each year from 2013 to 2018, she mailed letters addressed to Jacob and Associates requesting access to a copy of her medical records. As of November 23, 2018, she had not received any response or the requested records. Jacob & Associates agreed to pay $28,000 and enter into a corrective action plan which includes a requirement to create HIPAA privacy rule policies and provide training for its workforce.
     
    Northcutt Dental-Fairhope, LLC (Northcutt Dental)
    Northcutt Dental is a dental practice in Fairhope, Alabama. Dr. Northcutt, the owner and operator of Northcutt Dental, ran for the Alabama state senate. Dr. Northcutt provided an excel spreadsheet to his campaign manager which contained the names and addresses of 3,657 Northcutt Dental patients. The campaign manager used this information to mail letters to the patients announcing Dr. Northcutt's state senate campaign. Northcutt Dental also used a third-party marketing company to send emails to his practice's patients regarding Dr. Northcutt's senate race.  
     
    OCR investigated and found Northcutt Dental impermissibly disclosed its patients' protected health information to the campaign manager and third-party marketing company. Northcutt Dental agreed to enter into a corrective action plan which required the practice to (i) revise its HIPAA policies, (ii) distribute those policies to workforce members, (iii) provide training to members of the practice's HIPAA workforce, and (iv) pay $62,500 to resolve the allegations. Dr. Northcutt lost in his party's primary run-off.   
     
    Health care providers - note each of these actions involved relatively small private practices and several sole practitioners - and their business associates should see these enforcement actions as a reminder of the importance of complying with HIPAA. "Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously," OCR Director Lisa J. Pino said in a statement. 

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Saul Ewing Arnstein & Lehr

Top 20 Negotiation Tips: #14 and #15

By Steven N. Malitz Saul Ewing Arnstein & Lehr May 09 , 2022

In this episode of “The Entrepreneur Advisor,” Steven Malitz continues his Top 20 Countdown of the best negotiation tips for businesses.

The Friday Five: Five Current ERISA Litigation Highlights - May 2022

By Amy S. Kline Saul Ewing Arnstein & Lehr May 06 , 2022

This month’s Friday Five covers cases relating to a claimant’s second chance when a lawyer misses a court deadline, whether certain voluntary benefits fall within a broader ERISA plan, a court deciding that an insurer was “probably not wrong,” judicial reconsideration to mold the time period for benefits awarded, and an insurer’s duty to consider particular hazards of a claimant’s occupation.

OIG Permits FQHC to Loan Smartphones to Patients to Receive Telehealth Services

By Samantha R. Gross Saul Ewing Arnstein & Lehr May 06 , 2022

On April 28, 2022, the Office of Inspector General (“OIG”) published Advisory Opinion 22-08 in which the OIG declined to impose sanctions against a federally qualified health center (“Requestor”).

More From Health Care

Fifth Circuit Decision Could Undermine Constitutionality of HHS Civil Money Penalty Laws

By Robert P. Charrow Greenberg Traurig May 20 , 2022

On May 18, 2022, the U.S. Court of Appeals for the Fifth Circuit issued its decision in Jarkesy v. Securities and Exchange Comm’n, in which it examined the constitutionality of an agency civil money penalty enforcement proceeding.

OIG Permits FQHC to Loan Smartphones to Patients to Receive Telehealth Services

By Samantha R. Gross Saul Ewing Arnstein & Lehr May 06 , 2022

On April 28, 2022, the Office of Inspector General (“OIG”) published Advisory Opinion 22-08 in which the OIG declined to impose sanctions against a federally qualified health center (“Requestor”).

Using The New Group Health Plan Fee Disclosure Rules To Reduce Plan Costs

By Deborah L. Grace Dickinson Wright PLLC May 02 , 2022

Like a 401(k) plan, a group health plan must comply with ERISA’s rule that prohibits a plan fiduciary from paying more than a reasonable amount for services provided to the plan. When a group health plan offers insured benefits, service providers may receive a commission from the insurance company instead of direct payment from the plan sponsor or group health plan. Such a financial arrangement makes it difficult for the plan fiduciary to know what it has paid for the advisor’s services.

Featured Stories
Closeclose
Search
Menu

Working...