On March 28, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations and one matter before an Administrative Law Judge related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

In a press release, OCR Director Lisa Pino stated that “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

These actions and the statements from Director Pino make it clear that OCR will continue to focus on right of access initiatives. Additionally, covered entities such as health care providers are only permitted to use and disclose patient PHI as permitted by HIPAA rules. These enforcement actions also reinforce the need to have robust HIPAA policies and procedures in place and for health care providers to ensure their workforce and administrators are routinely trained on HIPAA compliance.

Two of the cases are part of OCR’s HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to 27 since the initiative began. OCR created this initiative to enforce individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The other enforcement actions result from health care providers impermissibly disclosing their patients’ protected health information (PHI).

The enforcement actions highlighted by OCR include:

  1. A solo dental practitioner in Butler, Pa. entered into a settlement agreement with OCR. In this case, the dental practice failed to provide a patient with a copy of the patient’s medical record, agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule's right-of-access standard, including implementing and distributing HIPAA policies and procedures and training each workforce member on them. The settlement agreement with OCR is available here.
  2. A California-based psychiatric medical services provider agreed to take corrective action and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right-of-access standard. The investigation revealed that the provider failed to respond to a patient’s mailed written access request for medical records. The provider later provided medical records to the patient, only provided the records electronically after the patient traveled to the provider’s office to complete its form to exercise the right to access, imposing a flat fee that was not cost-based ($25 per medical records request), and initially providing an incomplete (one page) paper copy of the records. Additionally, the investigation determined that the provider failed to designate a privacy official and its Notice of Privacy Practices lacked required content. Accordingly, this provider was required to remedy these deficiencies as part of the settlement with OCR. The complete resolution agreement with OCR and corrective action plan is available here.
  3. OCR imposed a $50,000 civil monetary penalty on a North Carolina-based dental practice. OCR found that the dental practice impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The practice did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting OCR’s findings. OCR’s Notice of Final Determination is available here.
  4. A dental practice in Fairhope, Ala., entered into a resolution agreement with OCR and agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule. OCR found that the dental practice impermissibly disclosed the name and address of approximately 3,658 individual patients to a campaign manager and the names and email addresses of approximately 5,385 individual patients to a third-party marketing company hired to help with the practice owner’s primary election in the Alabama state senate. OCR’s investigation determined that the practice did not designate a privacy official or implement HIPAA policies and procedures. The practice was required to remedy these deficiencies as part of the settlement with OCR. The complete resolution agreement with OCR and corrective action plan is available here.