The Department of Health and Human Services’ Office of Civil Rights is the entity that investigates HIPAA complaints and recommends enforcement, if necessary. The Office for Civil Rights has a tiered system for HIPAA violations:

·         Tier One is a violation of HIPAA due to lack of knowledge with a fine of $120-$60,226.

·         Tier Two is a violation occurring due to reasonable cause with a fine of $1,205-$60,226.

·         Tier Three is a violation because of willful neglect with a fine of $12,045-$60,226.

·         Tier Four is a violation occurring because of willful neglect but is not corrected within 30 days of the violation with a fine of $60,226-$1,806,757.

According to the HHS website, in 2020, the Office of Civil rights fully investigated 20 cases, which ended with settlements due to HIPAA violations. Those settlement amounts hit $13,554,900.

The year 2021 saw a reduction in the number of cases investigated (14), with settlement numbers reaching 5,982,150.

We are through the first quarter of 2022 and the enforcement actions to date show two possible types of violations that have OCR’s attention: access to medical records and social media blunders.

 The lowest penalty payment to date in 2022 has been $28,000 by Dr. Jacob of Jacob & Associates in California. A patient of the clinic mailed letters requesting copies of her medical records every year from 2013 to 2018 and never once received a response. When the patient finally sent a request by fax, the clinic provided her with 11 pages of records by e-mail but only after requiring her to come to the clinic to fill out a form and imposing a flat fee of $25. Further, initially, the clinic only sent one record, instead of the 11. In addition to the settlement payment, Jacob had to implement a corrective action plan.

In another “access” matter, solo dental practitioner, Dr. Donald Brockley of Pennsylvania paid a settlement of $30,000 (HHS initially sought to impose a $104,000 penalty). Dr. Brockley also failed to provide a patient with a copy of the medical record. The details on this matter are limited.

The highest settlement to date for 2022 was a $62,500 payment and corrective action plan agreement from Dr. David Northcutt, who was employed through an Alabama dental practice. When Dr. Northcutt decided to run for a state senate seat, he sent an excel spreadsheet of the names of his 3,657 patients to his campaign manager. As might be predicted, the campaign then emailed letters to the 3,657 patients, addressed to “Valued Patient” while announcing the campaign. Later, those same patients, in addition to 1,727 more, received emails from a third-party marketing company hired by Dr. Northcutt.

Finally, Dr. U Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI) owed $50,000 in penalties for failing to protect his patient’s identity and using discretion when it came to social media. A patient used a pseudonym to post a negative review of his experience at the dental practice. The dentist retaliated by replying to the review and exposing the patient’s name and discussing the patient’s treatment in detail. The dentist finished his response with a discourteous remark, “Get a life.” During their investigation into this complaint, the Office of Civil Rights also found that UPI had not created any HIPAA policies or procedures, and had no documentation of any HIPAA training. While UPI later provided an “acknowledgment “of training, it could not provide any substantive information on the contents of the training.  Fascinatingly, this matter first occurred in 2017 (with resolution only now happening in 2022), and the doctor’s response (as well as other “jousts” with unhappy patients) are still on the review site.

The immediate lessons to take from these enforcement actions are to provide timely access to medical records (at this time, no later than 30 days of the request), do not misuse patient information, and continue to be vigilant about what is posted on social media. Of course, make sure to have policies and procedures related to HIPAA, but do not just let them gather dust on a shelf: provide annual training and retain copies of the training with a list of who attended.