OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost
Today, the U.S. Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) announced the resolution of three investigations
concerning potential violations of the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule's patient right of access
provision. These cases are part of a collective effort, bringing the
total 41 cases, to drive compliance on right of access under the law.
“These three right of access actions send an important message to
dental practices of all sizes that are covered by the HIPAA Rules to
ensure they are following the law,” said OCR Director Melanie Fontes
Rainer. “Patients have a fundamental right under HIPAA to receive their
requested medical records, in most cases, within 30 days. I hope that
these actions send the message of compliance so that patients do not
have to file a complaint with OCR to have their medical records requests
fulfilled.”
OCR has taken the following enforcement actions that underscore the
importance and necessity of compliance with the HIPAA Rules, including
the foundational right of access provision:
- Family Dental Care, P.C.
(“FDC”), is a dental practice located in Chicago, Illinois. OCR
received a complaint on August 8, 2020, alleging that FDC failed to
provide a former patient with timely access to her complete medical
records. The former patient requested her entire medical records in May
2020, but received only portions. The former patient filed a complaint
with OCR, and during OCR’s investigation, FDC provided her with the
remainder of her records in October 2020. Thus, FDC did not provide a
complete copy of the records until more than five months after the
request was made. OCR's investigation determined that FDC’s failure to
provide timely access to the requested medical records was a potential
violation of the HIPAA right of access provision. FDC agreed to pay
$30,000 and implement a corrective action plan.
- Great Expressions Dental Center of Georgia, P.C.
(“GEDC-GA”), is a dental and orthodontics provider with multiple
locations throughout the state of Georgia. In November 2020, OCR
received a complaint alleging that GEDC-GA would not provide an
individual with copies of her medical records because she would not pay
GEDC-GA’s $170 copying fee. The individual first requested her records
in November 2019, but did not receive them until February 2021, over a
year later. OCR's investigation determined that GEDC-GA’s failure to
provide timely access to the requested medical records, and its practice
of assessing copying fees that were not reasonable and cost-based, were
potential violations of the HIPAA right of access provision. GEDC-GA
agreed to pay $80,000 and implement a corrective action plan.
- B. Steven L. Hardy, D.D.S., LTD,
doing business as Paradise Family Dental (“Paradise”) is a dental
practice in Las Vegas, Nevada. On October 26, 2020, OCR received a
complaint alleging that Paradise had failed to provide a mother with
copies of her and her minor child’s protected health information. The
mother submitted multiple record requests between April 11, 2020, and
December 4, 2020, but Paradise did not send the records until December
31, 2020, more than eight months after her initial request. OCR's
investigation determined that Paradise’s failure to provide timely
access to the requested medical records was a potential violation of the
HIPAA right of access provision. Paradise agreed to pay $25,000 and
implement a corrective action plan.
| HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures ...read more |
| Issued by: Office for Civil Rights (OCR) What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? Answer: If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan with a covered entity that OCR determined ...read more |
| Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Covered Entity: Outpatient Facility Issue: Impermissible Uses and Disclosures An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board ...read more |
| TYLER, Texas — U.S. Attorney John M. Bales announced today that a former employee of an East Texas hospital has pleaded guilty to criminal HIPAA charges in the Eastern District of Texas. Joshua Hippler, 30, formerly of Longview, Texas, was indicted on March 26, 2014, on charges of Wrongful Disclosure of Individually Identifiable Health Information. Hippler pleaded guilty on August 28, 2014 during a hearing before United States Magistrate Judge John D. Love. The indictment alleged that from December 1, 2012, through January 14, 2013, Hippler, who was then an employee of a covered entity under HIPAA, obtained protected ...read more |
|
April 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
BAA (4)
HIPAA (2)
Data Breach (1)
ePHI (2)
Telehealth (1)
EHR Fraud (1)
HIPAA Enforcement (3)
PPP Fraud (1)
Covered Entity (40)
|
