OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost
Today, the U.S. Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) announced the resolution of three investigations
concerning potential violations of the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule's patient right of access
provision. These cases are part of a collective effort, bringing the
total 41 cases, to drive compliance on right of access under the law.
“These three right of access actions send an important message to
dental practices of all sizes that are covered by the HIPAA Rules to
ensure they are following the law,” said OCR Director Melanie Fontes
Rainer. “Patients have a fundamental right under HIPAA to receive their
requested medical records, in most cases, within 30 days. I hope that
these actions send the message of compliance so that patients do not
have to file a complaint with OCR to have their medical records requests
fulfilled.”
OCR has taken the following enforcement actions that underscore the
importance and necessity of compliance with the HIPAA Rules, including
the foundational right of access provision:
- Family Dental Care, P.C.
(“FDC”), is a dental practice located in Chicago, Illinois. OCR
received a complaint on August 8, 2020, alleging that FDC failed to
provide a former patient with timely access to her complete medical
records. The former patient requested her entire medical records in May
2020, but received only portions. The former patient filed a complaint
with OCR, and during OCR’s investigation, FDC provided her with the
remainder of her records in October 2020. Thus, FDC did not provide a
complete copy of the records until more than five months after the
request was made. OCR's investigation determined that FDC’s failure to
provide timely access to the requested medical records was a potential
violation of the HIPAA right of access provision. FDC agreed to pay
$30,000 and implement a corrective action plan.
- Great Expressions Dental Center of Georgia, P.C.
(“GEDC-GA”), is a dental and orthodontics provider with multiple
locations throughout the state of Georgia. In November 2020, OCR
received a complaint alleging that GEDC-GA would not provide an
individual with copies of her medical records because she would not pay
GEDC-GA’s $170 copying fee. The individual first requested her records
in November 2019, but did not receive them until February 2021, over a
year later. OCR's investigation determined that GEDC-GA’s failure to
provide timely access to the requested medical records, and its practice
of assessing copying fees that were not reasonable and cost-based, were
potential violations of the HIPAA right of access provision. GEDC-GA
agreed to pay $80,000 and implement a corrective action plan.
- B. Steven L. Hardy, D.D.S., LTD,
doing business as Paradise Family Dental (“Paradise”) is a dental
practice in Las Vegas, Nevada. On October 26, 2020, OCR received a
complaint alleging that Paradise had failed to provide a mother with
copies of her and her minor child’s protected health information. The
mother submitted multiple record requests between April 11, 2020, and
December 4, 2020, but Paradise did not send the records until December
31, 2020, more than eight months after her initial request. OCR's
investigation determined that Paradise’s failure to provide timely
access to the requested medical records was a potential violation of the
HIPAA right of access provision. Paradise agreed to pay $25,000 and
implement a corrective action plan.
| Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's patient right of access provision. These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law. “These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA ...read more |
| Direct Liability of Business Associates In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.2 Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.3 As set forth in the HITECH ...read more |
| Mental Health Center Provides Access after Denial Covered Entity: Mental Health Center Issue: Access, Authorization The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto insurance company and refused to provide her with a copy of her medical records. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. OCR also determined that the Center denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. The Center did not, ...read more |
| SCOPE OF CRIMINAL ENFORCEMENT UNDER 42 U.S.C. § 1320d-6 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6, and the knowingly element of the offense set forth in that provision requires only proof of knowledge of the facts that constitute the offense. MEMORANDUM OPINION FOR THE GENERAL COUNSEL DEPARTMENT OF HEALTH AND HUMAN SERVICES AND THE SENIOR COUNSEL TO THE DEPUTY ATTORNEY GENERAL You have asked jointly for our opinion concerning the scope of 42 U.S.C. § 1320d-6 (2000), the criminal enforcement provision of the ...read more |
|
August 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
HIPAA Enforcement (3)
EHR Fraud (1)
Data Breach (1)
BAA (4)
Covered Entity (40)
Telehealth (1)
PPP Fraud (1)
HIPAA (2)
ePHI (2)
|
