Has the Bear Awakened From Its Hibernation? OCR Announces Four HIPAA Enforcement Actions
On March 28, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) reported four new Health Insurance Portability and Accountability Act (HIPAA) enforcement actions. After a multi-month hiatus in actions, OCR Director Lisa J. Pino announced the enforcement actions and offered a stark warning to covered entities: OCR will continue its steadfast commitment to protect individuals’ health information privacy and security through enforcement, and OCR will pursue civil money penalties for violations that remain unaddressed. Notably, OCR brought three of its four recent actions against dental practices.
In North Carolina, OCR imposed a rare penalty of $50,000 on a dental practice for impermissibly disclosing a patient’s personal health information while responding to a negative online review. According to OCR, the practice divulged the patient’s full name and treatment details, ending the post with the comment, “get a life.” OCR initiated its enforcement action in response to the patient’s complaint.
In Alabama, a dental practice paid $62,000 for purportedly divulging patient information during the practice owner’s public office election campaign. In 2017, the dentist allegedly gave a spreadsheet containing 3,657 patient names to his campaign manager. Again, in 2018, the dentist provided his third-party marketing company with another 1,727 patient names, ultimately revealing names of over 5,000 of the practice’s patients.
In Pennsylvania, a solo practitioner agreed to pay $30,000 and remedy his alleged missteps in failing to provide a patient with her requested medical records. In California, a psychiatric provider agreed to pay $28,000 for potential HIPAA violations, including the alleged failure to honor the right to access health information. The investigation revealed that, from 2013 to 2018, the provider ignored numerous requests by a patient for her medical records. Once again, the enforcement action was triggered when the patient complained.
Two of these cases expressly fall under OCR’s “Right of Access Initiative” created to support individuals’ right to timely receive copies of their health records at a reasonable cost. OCR has enforced 27 actions since the initiative began in 2019.
Aside from resurfacing the OCR’s commitment to the Right to Access Initiative, there are two key takeaways from these enforcement actions: no covered entity is immune from OCR enforcement for violating HIPAA privacy rules, and OCR does pay attention to the complaints it receives. To avoid such actions, covered entities and business associates should exercise diligent HIPAA compliance, particularly where patients’ rights to access health information are involved.