The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced four enforcement resolutions at the end of March 2022, with issues ranging from the misuse of protected health information (PHI) for political campaigns, yet another healthcare provider falling prey to the temptation to respond to bad online reviews with PHI, and two more patient right-of-access enforcement actions.

The enforcement actions highlight the need to understand OCR's broad interpretation of what constitutes PHI, OCR's willingness to pursue enforcement actions against smaller healthcare providers, and its continued commitment to prioritize enforcement of the right of access. Organizations should ensure that their workforce understand what constitutes PHI, their limits on using and disclosing such information, and should continue to focus on removing barriers to patients accessing their PHI.

Politics and PHI Don't Mix

In its resolution with Northcutt Dental-Fairhope, LLC (Northcutt Dental), OCR found that Northcutt Dental impermissibly disclosed the name and email addresses of individual patients when it shared information with Dr. Northcutt's campaign manager in 2017, who mailed letters to patients regarding Dr. Northcutt's state senate campaign. OCR also found Northcutt Dental impermissibly disclosed the name and email address of patients again in 2018 when it shared this information with its marketing vendor for purposes beyond the service arrangement.

OCR further alleged that Northcutt Dental failed to appoint a privacy official and also failed to implement policies and procedures to comply with HIPAA's Privacy and Breach Notification Rules. Northcutt Dental agreed to a Corrective Action Plan and to pay HHS a $62,500 to settle the matter.

Impermissible Disclosures of PHI Takeaways

Entities subject to HIPAA should:

  • Recognize that OCR considers any patient demographic information to constitute PHI, even in the absence of specific treatment or diagnostic information.
  • Develop and implement policies and procedures addressing appropriate uses and disclosures of PHI.
  • Pay particular attention to marketing, which tends to generate patient complaints and concerns.
  • Implement procedures for sharing patient information with any third parties and verify that appropriate contracts, such as business associate agreements and confidentiality agreements, are in place.

The Challenge of Responding to Online Patient Reviews Under HIPAA

In its resolution with U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), OCR found UPI impermissibly disclosed a patient's name and PHI in responding to the patient's negative online review. OCR found that UPI's disclosure "was not permitted or required by the Privacy Rule, and, as a result, UPI impermissibly disclosed PHI when it posted a response with Complainant's PHI."

In response to its request, OCR notes that while UPI provided an "Acknowledgment of Training," it did not provide documentation of actual training, failed to remove the PHI from its Google page (the response remains public), and UPI did not provide any social media policies and procedures. UPI also did not object or respond to OCR's administrative subpoena. Because UPI did not cooperate, OCR imposed a civil monetary penalty in the amount of $50,000.

This case highlights the continuing challenges that healthcare providers face with respect to online patient reviews. Patients, rightly or wrongly, can anonymously post scathing online reviews that can have serious financial consequences, discouraging potential future patients from visiting the provider.

HIPAA does not allow the healthcare provider to respond with any PHI—even information that merely identifies that the individual was a patient—absent the patient's authorization. Providers can ignore the review, respond with generic statements that do not include any PHI, or consider more extreme options such as litigation (where proving libel would be a very high hurdle).

Social Media Takeaways

HIPAA-regulated entities should:

  • Develop and follow social media policy and procedures, particularly since patients posting on social media raises numerous implications for providers.
  • Train workforce on appropriate use of social media.
  • Take precautions and verify appropriateness prior to replying to online reviews or otherwise engaging with social media.
  • Take immediate corrective action and determine whether a breach of unsecured PHI requiring notification under HIPAA or state law occurred, in response to a posting of PHI on social media.
  • Know that OCR will not simply go away if ignored.

OCR's Continued Right-of-Access Enforcement Initiative

OCR grew the total number of HIPAA right-of-access enforcement actions from two to 27 since beginning its Right of Access Initiative in 2019. OCR began the initiative to ensure that patients have timely access to PHI maintained in a designated record set at a reasonable cost by holding covered entities responsible for their HIPAA right of access obligation—as a result of the business associate agreements into which they must enter, business associates must contractually support this obligation.

The right of access obligation includes permitting individuals to inspect their PHI, obtain a copy, and direct a covered entity to transmit a copy of the PHI to a person or entity that an individual designates. OCR has brought right-of-access enforcement actions against providers of all sizes and types.

In its resolution agreement with B. Said Jacob, M.D., M.P.H, dba Dr. Jacob & Associates (Jacob & Associates), OCR found that Jacob & Associates imposed an unreasonable fee of $25 per medical record that was not cost-based. Further, OCR claimed that Jacob & Associates failed to provide timely access and imposed unreasonable burdens.

According to the Resolution Agreement, Jacob & Associates provided complainant a complete copy of her medical records only after requiring complainant to travel to their office to complete their access form and initially provided incomplete records. In its investigation, OCR also found that Jacob & Associates failed to implement policies regarding the right of access to PHI, did not designate a privacy official, and its Notice of Privacy Practices was lacking. Jacob & Associates agreed to pay OCR $28,000 to settle the matter.

In the other right-of-access action, Dr. Donald Brockley, D.M.D., settled with OCR for $30,000 for failing to provide a patient with access to PHI and entered into a corrective action plan to comply with the HIPAA right-of-access standard.

Right-of-Access Takeaways

The two latest right-of-access enforcement actions are in line with OCR targeting covered entities in response to a complaint. HIPAA-regulated entities should:

  • Verify that any fee charged under an individual's right of access should be cost-based and not, for example, a flat fee that has not been recognized as reasonable by OCR.
  • Not create hurdles for patients requesting access to medical records, such as requiring patients to travel to the office to complete access forms without good reason.
  • Develop and implement HIPAA policies and procedures, including addressing the right of access to PHI, and verify the Notice of Privacy Practices is consistent with the entity's practices and HIPAA.
  • Pay attention to other HIPAA compliance requirements such as appointing a privacy (and security) officer.
  • Remember that, once opened, OCR can expand its investigation or compliance review.