OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost
Today, the U.S. Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) announced the resolution of three investigations
concerning potential violations of the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule's patient right of access
provision. These cases are part of a collective effort, bringing the
total 41 cases, to drive compliance on right of access under the law.
“These three right of access actions send an important message to
dental practices of all sizes that are covered by the HIPAA Rules to
ensure they are following the law,” said OCR Director Melanie Fontes
Rainer. “Patients have a fundamental right under HIPAA to receive their
requested medical records, in most cases, within 30 days. I hope that
these actions send the message of compliance so that patients do not
have to file a complaint with OCR to have their medical records requests
fulfilled.”
OCR has taken the following enforcement actions that underscore the
importance and necessity of compliance with the HIPAA Rules, including
the foundational right of access provision:
- Family Dental Care, P.C.
(“FDC”), is a dental practice located in Chicago, Illinois. OCR
received a complaint on August 8, 2020, alleging that FDC failed to
provide a former patient with timely access to her complete medical
records. The former patient requested her entire medical records in May
2020, but received only portions. The former patient filed a complaint
with OCR, and during OCR’s investigation, FDC provided her with the
remainder of her records in October 2020. Thus, FDC did not provide a
complete copy of the records until more than five months after the
request was made. OCR's investigation determined that FDC’s failure to
provide timely access to the requested medical records was a potential
violation of the HIPAA right of access provision. FDC agreed to pay
$30,000 and implement a corrective action plan.
- Great Expressions Dental Center of Georgia, P.C.
(“GEDC-GA”), is a dental and orthodontics provider with multiple
locations throughout the state of Georgia. In November 2020, OCR
received a complaint alleging that GEDC-GA would not provide an
individual with copies of her medical records because she would not pay
GEDC-GA’s $170 copying fee. The individual first requested her records
in November 2019, but did not receive them until February 2021, over a
year later. OCR's investigation determined that GEDC-GA’s failure to
provide timely access to the requested medical records, and its practice
of assessing copying fees that were not reasonable and cost-based, were
potential violations of the HIPAA right of access provision. GEDC-GA
agreed to pay $80,000 and implement a corrective action plan.
- B. Steven L. Hardy, D.D.S., LTD,
doing business as Paradise Family Dental (“Paradise”) is a dental
practice in Las Vegas, Nevada. On October 26, 2020, OCR received a
complaint alleging that Paradise had failed to provide a mother with
copies of her and her minor child’s protected health information. The
mother submitted multiple record requests between April 11, 2020, and
December 4, 2020, but Paradise did not send the records until December
31, 2020, more than eight months after her initial request. OCR's
investigation determined that Paradise’s failure to provide timely
access to the requested medical records was a potential violation of the
HIPAA right of access provision. Paradise agreed to pay $25,000 and
implement a corrective action plan.
| Mental Health Center Provides Access and Revises Policies and Procedures Covered Entity: Mental Health Center Issue: Access, Restrictions The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts ...read more |
| Issued by: Office for Civil Rights (OCR) What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? Answer: If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan with a covered entity that OCR determined ...read more |
| May a covered entity dispose of protected health information in dumpsters accessible by the public? For example, depending on the circumstances, proper disposal methods may include (but are not limited to): Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.In justifiable cases, based on the size and the ...read more |
|
January 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | 1 | 2 | 3 |
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
Data Breach (1)
ePHI (2)
HIPAA (2)
Telehealth (1)
PPP Fraud (1)
HIPAA Enforcement (3)
EHR Fraud (1)
Covered Entity (40)
BAA (4)
|
