Breach Notification , Electronic Healthcare Records , Governance & Risk Management
HHS OCR Issues 4 HIPAA Enforcement Actions
Includes Settlement With Dentist Who Disclosed Patient PHI for Political CampaignFederal regulators have slapped four small covered entities with HIPAA enforcement actions, including two settlements involving right of access disputes and one civil monetary penalty in an impermissible protected health information disclosure incident. The most egregious case, however, involves an Alabama dental practice that allegedly disclosed patient PHI with third parties for use in the owner's unsuccessful campaign for state Senate.
See Also: Gartner Guide for Digital Forensics and Incident Response
The Department of Health and Human Services' Office for Civil Rights in a statement Monday said the enforcement actions include three settlements ranging from $28,000 to $62,500 and one $50,000 civil monetary penalty.
The recent enforcement actions underscore the importance of compliance with the HIPAA privacy and security rules, including the right of patients to access their health information, OCR says.
"Between the rising pace of breaches of unsecured PHI and continued cybersecurity threats impacting the healthcare industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously," Lisa Pino, director of OCR, says in the statement.
"OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed."
Campaign Case
The largest HHS OCR settlement announced this week was reached with Northcutt Dental-Fairhope LLC, a dental practice in Fairhope, Alabama. OCR says Northcutt Dental impermissibly disclosed its patients' PHI to a campaign manager and a third-party marketing company hired to help the practice's owner and operator, dentist David Northcutt, with his state Senate election campaign.
The resolution agreement in the case says that in 2017, Northcutt decided to run for state senator for District 32 in Alabama under the Republican Party and engaged a campaign manager for assistance in his political endeavor.
OCR says that in July 2017, Northcutt provided to his campaign manager an Excel spreadsheet containing the names and addresses of 3,657 patients of Northcutt Dental.
"The campaign manager mailed letters to these patients to announce Dr. Northcutt's run for state Senate. The letter was on the campaign's letterhead but addressed the recipient as, 'Dear Valued Patient,'" OCR says.
Then, in April 2018, Northcutt Dental sent an email communication to its patients regarding Northcutt's state senate campaign. "The email header showed the email as coming from 'Northcutt Dental' and the email message was signed 'Sincerely, Northcutt Dental,'" OCR says.
Northcutt Dental used a third-party marketing company to send the emails. The campaign email was sent to the same patients that received the mailed letter in July 2017, plus an additional 1,727 patients, for a total of 5,385 individual recipients, OCR says.
"Taking patient data collected from a treatment relationship and using it for personal gain erodes the trust patients put in their relationship with their healthcare provider."
—David Holtzman, HITprivacy
OCR's investigation into the matter determined that the instances of sharing of patients' names, addresses and email addresses with the two campaign-related third parties amounted to impermissible disclosure under HIPAA.
OCR's investigation also found Northcutt Dental did not designate a privacy official until November 2017 and did not implement policies and procedures to comply with the requirements of the HIPAA privacy and breach notification rules until January 2018.
Besides the $62,500 financial settlement, Northcutt Dental also agreed to a corrective action plan that calls for the practice to review and revise its written policies and procedures to comply with the HIPAA privacy, security and breach notification rules, adopting those policies and procedures after they are approved by OCR, distribute the approved policies and procedures to its workforce and provide staff with related training.
Northcutt Dental did not immediately respond to Information Security Media Group's request for comment on its settlement with OCR.
Right of Access Settlements
OCR's other two recent settlements involve patient HIPAA right of access disputes.
The larger OCR settlement - for $30,000 - was signed with Donald Brockley, a solo dental practitioner in Butler, Pennsylvania, who OCR says failed to provide a patient with a copy of the individual's medical record.
OCR says that in November 2020, it notified Brockley that the agency was levying a $104,000 civil monetary penalty against his practice for failure to comply with the right of access provision, following an OCR investigation into noncompliance complaints.
OCR said that prior to levying the penalty, it also provided Brockley an opportunity to submit evidence to support a waiver of a potential penalty, but he did not respond to OCR's letter.
Brockley in January 2021 requested a hearing about the case before an HHS administrative law judge. OCR says the litigation was resolved before the court made a determination, with Brockley agreeing to pay a $30,000 financial settlement and take corrective actions to comply with the HIPAA privacy rule's right of access standard.
Brockley did not immediately respond to ISMG's request for comment on its settlement with OCR.
The other recent right of access settlement - for $28,000 - was with a psychiatric medical services provider that has two office locations in California, Jacobs & Associates.
OCR's resolution agreement with Jacobs & Associates says the case involved multiple annual requests by a patient from 2013 to 2018 for copies of her medical records, which were not fulfilled by the practice until May 2019.
OCR's investigation into the complaint by the patient determined, among other findings, that Jacobs & Associates failed to provide the patient timely access to her health information in the form and manner requested. OCR also determined that Jacobs & Associates imposed an unreasonable fee for medical record copies and failed to implement policies and procedures regarding the right of access to PHI.
In addition to paying the financial settlements, both Brockley and Jacobs & Associates have agreed to implement corrective action plans related to their compliance with the HIPAA rules, including the right of access provision.
Jacobs & Associates did not immediately respond to ISMG's request for comment on its settlement with OCR.
Collectively, the settlements with Brockley and Jacobs & Associates are OCR's 27th enforcement actions since April 2019 involving alleged violations of the HIPAA right of access provision.
"The right of access cases emphasize OCR's commitment to its continuing right of access initiative," says regulatory attorney Paul Hales of the Hales Law Group.
Civil Monetary Penalty
The fourth enforcement action announced this week by OCR involved a $50,000 civil monetary penalty levied against another dental practice, U. Phillip Igbinadolor, D.M.D. & Associates, or UPI, which has offices in Charlotte and Monroe, North Carolina.
The case involved UPI's impermissible disclosure of a patient’s PHI on a webpage in response to a negative online review, OCR says.
OCR says UPI did not respond to the agency's data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.
UPI did not immediately respond to ISMG's request for comment on the civil monetary penalty imposed against the practice by OCR.
Disturbing Disclosures
Some experts say that of the four recent enforcement actions taken by the OCR, the most disturbing case involved the impermissible disclosure of patient information by dentist Northcutt pertaining to his state Senate campaign.
"OCR was right to aggressively pursue and publicize its enforcement action against a healthcare provider that disclosed patient information to a political campaign," says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"In my experience, complaints to OCR of healthcare providers disclosing PHI for use in a political campaign are referred to the Department of Justice for prosecution as a violation of the HIPAA criminal statute," he says. "Taking patient data collected from a treatment relationship and using it for personal gain erodes the trust patients put in their relationship with their healthcare provider."
"The internet is awash with information provided by healthcare providers that confirms the identity of their patients."
—Paul Hales, Hales Law Group
The Department of Justice declined ISMG's inquiry about whether it has investigated a case involving Northcutt and any alleged criminal HIPAA violations. "We don’t confirm or deny or comment on the existence of criminal investigations," the Justice Department tells ISMG in a statement.
Poor Reviews
Hales says the second-most-disturbing case involved the impermissible PHI disclosures by the UPI dental practice.
"OCR’s enforcement action and $50,000 CMP levied against UPI for an unauthorized disclosure of PHI stemming from a dentist's response to a one-star Google patient review is particularly notable," he says.
In 2019, OCR took a HIPAA enforcement action in a similar case involving a Texas dental practice, Elite Dental Associates of Dallas, which allegedly disclosed patient PHI - including names and health conditions - in response to negative reviews posted on the online site Yelp by patients.
In that case, Elite Dental paid a $10,000 HIPAA settlement and agreed to take corrective actions.
"HIPAA violations involving patient reviews have grown significantly since then, fueled in part by marketing advisers and vendors that encourage healthcare providers to enhance their visibility and reputation by soliciting patient reviews," Hales says.
"The internet is awash with information provided by healthcare providers that confirms the identity of their patients. Those two bits of information, according to the HHS Office of Inspector General, is all a criminal needs to steal a patient's medical identity."