OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost
Today, the U.S. Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) announced the resolution of three investigations
concerning potential violations of the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule's patient right of access
provision. These cases are part of a collective effort, bringing the
total 41 cases, to drive compliance on right of access under the law.
“These three right of access actions send an important message to
dental practices of all sizes that are covered by the HIPAA Rules to
ensure they are following the law,” said OCR Director Melanie Fontes
Rainer. “Patients have a fundamental right under HIPAA to receive their
requested medical records, in most cases, within 30 days. I hope that
these actions send the message of compliance so that patients do not
have to file a complaint with OCR to have their medical records requests
fulfilled.”
OCR has taken the following enforcement actions that underscore the
importance and necessity of compliance with the HIPAA Rules, including
the foundational right of access provision:
- Family Dental Care, P.C.
(“FDC”), is a dental practice located in Chicago, Illinois. OCR
received a complaint on August 8, 2020, alleging that FDC failed to
provide a former patient with timely access to her complete medical
records. The former patient requested her entire medical records in May
2020, but received only portions. The former patient filed a complaint
with OCR, and during OCR’s investigation, FDC provided her with the
remainder of her records in October 2020. Thus, FDC did not provide a
complete copy of the records until more than five months after the
request was made. OCR's investigation determined that FDC’s failure to
provide timely access to the requested medical records was a potential
violation of the HIPAA right of access provision. FDC agreed to pay
$30,000 and implement a corrective action plan.
- Great Expressions Dental Center of Georgia, P.C.
(“GEDC-GA”), is a dental and orthodontics provider with multiple
locations throughout the state of Georgia. In November 2020, OCR
received a complaint alleging that GEDC-GA would not provide an
individual with copies of her medical records because she would not pay
GEDC-GA’s $170 copying fee. The individual first requested her records
in November 2019, but did not receive them until February 2021, over a
year later. OCR's investigation determined that GEDC-GA’s failure to
provide timely access to the requested medical records, and its practice
of assessing copying fees that were not reasonable and cost-based, were
potential violations of the HIPAA right of access provision. GEDC-GA
agreed to pay $80,000 and implement a corrective action plan.
- B. Steven L. Hardy, D.D.S., LTD,
doing business as Paradise Family Dental (“Paradise”) is a dental
practice in Las Vegas, Nevada. On October 26, 2020, OCR received a
complaint alleging that Paradise had failed to provide a mother with
copies of her and her minor child’s protected health information. The
mother submitted multiple record requests between April 11, 2020, and
December 4, 2020, but Paradise did not send the records until December
31, 2020, more than eight months after her initial request. OCR's
investigation determined that Paradise’s failure to provide timely
access to the requested medical records was a potential violation of the
HIPAA right of access provision. Paradise agreed to pay $25,000 and
implement a corrective action plan.
| Direct Liability of Business Associates In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.2 Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.3 As set forth in the HITECH ...read more |
| Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions Covered Entity: Health Plans Issue: Impermissible Uses and Disclosures An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures and to mitigate the harm to the individual. In addition, the employee who made the disclosure was counseled and given a written warning. ...read more |
| May a covered entity dispose of protected health information in dumpsters accessible by the public? For example, depending on the circumstances, proper disposal methods may include (but are not limited to): Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.In justifiable cases, based on the size and the ...read more |
| Private Practice Revises Process to Provide Access to Records Covered Entity: Private Practices Issue: Access A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary ...read more |
|
October 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
BAA (4)
EHR Fraud (1)
Telehealth (1)
ePHI (2)
Data Breach (1)
HIPAA (2)
HIPAA Enforcement (3)
PPP Fraud (1)
Covered Entity (40)
|
