OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost
Today, the U.S. Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) announced the resolution of three investigations
concerning potential violations of the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule's patient right of access
provision. These cases are part of a collective effort, bringing the
total 41 cases, to drive compliance on right of access under the law.
“These three right of access actions send an important message to
dental practices of all sizes that are covered by the HIPAA Rules to
ensure they are following the law,” said OCR Director Melanie Fontes
Rainer. “Patients have a fundamental right under HIPAA to receive their
requested medical records, in most cases, within 30 days. I hope that
these actions send the message of compliance so that patients do not
have to file a complaint with OCR to have their medical records requests
fulfilled.”
OCR has taken the following enforcement actions that underscore the
importance and necessity of compliance with the HIPAA Rules, including
the foundational right of access provision:
- Family Dental Care, P.C.
(“FDC”), is a dental practice located in Chicago, Illinois. OCR
received a complaint on August 8, 2020, alleging that FDC failed to
provide a former patient with timely access to her complete medical
records. The former patient requested her entire medical records in May
2020, but received only portions. The former patient filed a complaint
with OCR, and during OCR’s investigation, FDC provided her with the
remainder of her records in October 2020. Thus, FDC did not provide a
complete copy of the records until more than five months after the
request was made. OCR's investigation determined that FDC’s failure to
provide timely access to the requested medical records was a potential
violation of the HIPAA right of access provision. FDC agreed to pay
$30,000 and implement a corrective action plan.
- Great Expressions Dental Center of Georgia, P.C.
(“GEDC-GA”), is a dental and orthodontics provider with multiple
locations throughout the state of Georgia. In November 2020, OCR
received a complaint alleging that GEDC-GA would not provide an
individual with copies of her medical records because she would not pay
GEDC-GA’s $170 copying fee. The individual first requested her records
in November 2019, but did not receive them until February 2021, over a
year later. OCR's investigation determined that GEDC-GA’s failure to
provide timely access to the requested medical records, and its practice
of assessing copying fees that were not reasonable and cost-based, were
potential violations of the HIPAA right of access provision. GEDC-GA
agreed to pay $80,000 and implement a corrective action plan.
- B. Steven L. Hardy, D.D.S., LTD,
doing business as Paradise Family Dental (“Paradise”) is a dental
practice in Las Vegas, Nevada. On October 26, 2020, OCR received a
complaint alleging that Paradise had failed to provide a mother with
copies of her and her minor child’s protected health information. The
mother submitted multiple record requests between April 11, 2020, and
December 4, 2020, but Paradise did not send the records until December
31, 2020, more than eight months after her initial request. OCR's
investigation determined that Paradise’s failure to provide timely
access to the requested medical records was a potential violation of the
HIPAA right of access provision. Paradise agreed to pay $25,000 and
implement a corrective action plan.
| Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more |
| Radiologist Revises Process for Workers Compensation Disclosures Covered Entity: Health Care Provider Issue: Impermissible Uses and Disclosures A radiology practice that interpreted a hospital patient’s imaging tests submitted a worker’s compensation claim to the patient’s employer. The claim included the patient’s test results. However, the patient was not covered by worker’s compensation and had not identified worker’s compensation as responsible for payment. OCR’s investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. Among other corrective actions to resolve the specific issues in the case, the practice apologized to ...read more |
| Issued by: Office for Civil Rights (OCR) Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? Answer: Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that ...read more |
| Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more |
|
August 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
Data Breach (1)
Covered Entity (40)
ePHI (2)
PPP Fraud (1)
BAA (4)
HIPAA (2)
EHR Fraud (1)
HIPAA Enforcement (3)
Telehealth (1)
|
