A few days ago, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced four compulsory measures for the healthcare providers’ HIPAA Right of Access non-compliance, so that they have to keep up with compliance. So, on the 28th of March OCR published the outcomes of four cases connected with HIPAA Compliance violations. The Office for Civil Rights resolved three of them, and one incident led to administrational fees.
Two of these incidents are parts of OCR’s HIPAA Right of Access Initiative. One provider has got a fine because of the overpricing on getting a copy of the PHI for a patient. It is the first financial fee according to the law enforcement agencies’ initiative in 2019. It claimed that the cost of medical records copy was overstated. Because of this since the beginning of the initiative, the total number of measures of constraint reached 27.
OCR implemented this initiative to support people’s right to get their medical records in time and at a fair price according to the HIPAA Privacy Rule. Other compulsory actions are the result of the provider’s unlawful disclosure of their patient’s protected health information (PHI). So, as the director of the Office for Civil Rights (OCR) stated, it is important for healthcare organizations and providers to maintain HIPAA Compliance while the cybersecurity landscape is constantly shifting. But the OCR will also continue to maintain the privacy and security of personal information by implementing fees on covered entities (CEs) because of their unresolved incidents.
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) took the following measures described in the cases below. They aim to highlight the importance and necessity of keeping up with HIPAA rules, including the Right of Access guideline.
Practicing Dentist was Fined for the HIPAA Right of Access Non-Compliance
This is a case of Dr. Donal Brockley, doctor of medical science and practicing dentist from Butler, Pennsylvania state. He didn’t provide a copy of his patient’s medical records during the time set under the HIPAA Privacy Rule. Also, after the investigation, he didn’t provide any evidence of mitigating factors.
Thus, OCR warned Dr. Brockley about its intent to penalize him for more than 100K USD. Doctor asked for a trial at the administrative court to dispute the fine. As the result, they reached a mutual agreement of sides during the 60-day delay in proceeding with the case. Dr. Brockley agreed to pay 30K USD as a fee and accept a plan of corrective measures. This plan included the refreshment of policies and procedures to provide HIPAA Right of Access compliance.
The Dentistry from North Carolina was Fined 50 Thousand USD for HIPAA Right of Access Non-Compliance
Dr. U. Phillip Igbinadolor, the doctor of medical science and Associates, P.A. (UPI), is a practicing dentist with offices in Charlotte and Monroe, NC. He unlawfully disclosed his patient’s PHI, responding to the negative comment. The claimant used a nickname to protect their privacy and published a negative review on UPI’s Google page. UPI responded, that the complainant’s accusations were unjustified. But the provider also mentioned the patient’s symptoms and unprovided treatment.
United Payments Interface (UPI), didn’t react to the OCR data request and agenda and renounced its rights to a proceeding. It also didn’t challenge outcomes in the OCR Notice about the proposed order. OCR fined UPI 50000 USD.
Californian Healthcare Provider of Psychiatrical Services was Fined for Right of Access Non-Compliance
OCR recorded, that Jacob & Associates didn’t provide access to patients’ medical records in time, collected an unreasonable fee, and didn’t have policies and procedures concerning patients’ right to access medical records. The claimant stated that she had been requesting her medical records from 2013 until 2017, but she didn’t get them. She had to go to the practice and fill in the form to get those records. She also had to pay 25$ for copies, but she received only a single-page copy. The patient needed to make an inquiry again to get full records.
After this OCR found a lot of other violations, such as the absence of the HIPAA Privacy or Security Officers positions and so on. So, $28.000 was recovered from Jacob & Associates. The provider also agreed on the corrective measures plan.
The Dentistry Paid a Penalty for HIPAA Violation in Social Media
Northcutt Dental-Fairhope, LLC (Northcutt Dental), AL, paid $62.5K for unlawful disclosure of PHI for marketing campaign purposes. In 2017 the owner of Northcutt Dental, David Northcutt, was a candidate for the state senator for Alabama District 32. He involved the campaign manager and outsourced marketing company to send emails to more than three thousand patients to inform them about Northcutt’s balloting.
OCR came up to the conclusion, that it was the unacceptable disclosure of patients’ PHI. The U.S. Department of Health & Human Services Office for Civil Rights (OCR) also detected a range of other violations. So, Northcutt Dental had to pay 62500 USD for the Right of Access non-compliance. The practice also agreed on the corrective measures plan.
Anyway, it’s important to remember, that in case you find that your healthcare provider violates your HIPAA rights, you should file a complaint with OCR and investigate more about your rights under the Privacy Rule. Check our news portal to stay updated!
