$1.9 Million in fines, plus mandatory corrective actions, imposed against 16 HIPAA violators in just three months
A fun question in the fall is “What did you do last summer?” The HHS Office for Civil Rights (OCR) had an exceptionally busy summer, as it turns out. In July, August, and September of 2022, the OCR reached agreements with 16 violators of HIPAA Privacy and Security Rules. HIPAA violation penalties ranged from $5,000 to $875,000 per case, and in all cases mandatory corrective action plans were imposed on the violators, with most including two years of compliance monitoring.
We share this information with members of the healthcare community in the hope that these examples of bad behavior will encourage you to become fully HIPAA compliant. It is also important to understand that the generations who live online have no qualms about writing a poor review or filing a complaint. You can avoid complaints by adhering to the Patient Right of Access requirements under the HIPAA Privacy Rule.
The Mission of HHS and OCR
According to the U.S. Department of Health and Human Services (HHS) website, their mission is to enhance the health and well-being of all Americans. This entails (1) providing for effective health and human services, and (2) fostering sound, sustained advances in the sciences that underlie medicine, public health, and social services.
The office for Civil Rights (OCR) is a law enforcement agency for the U.S. Department of Health and Human Services. The mission of OCR is to ensure compliance with our nation’s civil rights, conscience and religious freedom, and health information privacy and security laws.
This mission entails (1) investigating complaints and conducting compliance reviews, (2) requiring corrective and remedial action, (3) promulgating policy and regulations, and (4) providing technical assistance and public education for the American people. And while imposing HIPAA violation penalties is not mentioned specifically, it is a critical element in the central mission to ensure compliance with HIPAA.
HIPAA Violation Penalties: The Dentists
Four dentists settled with the OCR after violating patients’ rights to access their medical records and health information as required by the HIPAA Privacy Rule.
HIPAA requirements in 45 CFR 164.501 give individuals the right to access, upon request, their medical and health information (protected health information or PHI) in one or more designated record sets maintained by or for the individuals' healthcare providers and health plans or insurers. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, and other records used, in whole or in part, by or for a covered entity to make decisions about individuals.
HHS has provided the latest details pertaining to Patient Right of Access, and the limited exceptions to the rule, in a convenient set of Frequently Asked Questions. Every healthcare provider should read this FAQ sheet.
Now, back to the four dentists, whose violations cost them a total of $135,000 along with mandatory corrective actions and monitoring to prevent future patient right of access failures. These four violations all occurred in 2020 and the settlements were announced by OCR in two press releases in July and September of 2022.
- In Chicago, a patient of Family Dental Care filed a complaint with the OCR that she had only received portions of her medical record in May 2020. The practice didn’t provide the remainder for five months—when the OCR investigated in October 2020. The practice agreed to pay $30,000 and implement a corrective action plan.
- A patient filed a complaint with the OCR against Great Expressions Dental Center of Georgia claiming the practice would not provide copies of her medical records because she refused to pay their $170 copying fee. The patient finally received the records more than a year later, with the OCR investigation finding the copying fees unreasonable and not cost-based. This violation cost the practice $80,000, along with mandatory corrective actions.
- In Las Vegas, an OCR investigation found that Paradise Family Dental Practice failed to provide a mother with timely copies of protected health information. After submitting multiple requests between April 11 and December 4, 2020, she finally received the records eight months after her initial request. Paradise agreed to pay $25,000 and implement corrective actions.
- Finally, Lawrence Bell, Jr., DDS, a dental practice in Baltimore, was investigated by the OCR, who found the practice failed to provide a patient with timely access to their medical record. The dentist paid a $5,000 fine and agreed to take corrective actions.
HIPAA Violation Penalties: The Mega Fines
The largest violations settled and announced by the OCR in press releases in July and August of 2022 involved three different HIPAA violations incurring severe penalties. The three healthcare providers were fined a total of $1,415,640, along with mandatory corrective action plans. Brief summaries follow.
- Improper Disposal of PHI. On May 11, 2021, New England Dermatology PC, of Massachusetts, filed a data breach report with the OCR stating that empty specimen containers with protected health information printed on the labels were placed in a garbage bin in their parking lot. The PHI included patient name, date of birth, date of sample collection, and provider name who took the specimen. The OCR’s investigation found impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI, which are violations of the HIPAA Privacy Rule. The August 2022 OCR press release confirmed that the practice paid a $300,640 penalty and agreed to a rigorous corrective action plan that includes two years of monitoring.
- Patient Right of Access Failure. Memorial Hermann Health System is a not-for-profit health system consisting of 17 hospitals in Southeast Texas. An OCR complaint investigation determined that Memorial failed to respond in a timely manner to a patient’s access request, thus violating the patient right of access standard that is part of the HIPAA Privacy Rule. According to the July 2022 OCR press release, Memorial Hermann Health System agreed to implement corrective actions and paid a penalty of $240,000.
- Web Server Hack Exposes ePHI. On January 5, 2018, Oklahoma State University Center for Health Sciences notified the OCR that a hacker installed malware on a web server housing electronic protected health information (ePHI). The hack disclosed the ePHI of almost 280,000 patients, including but not limited to names, Medicaid numbers, dates of birth, and addresses. The Center originally reported that the breach occurred in November 2017, but later revised the date to March 2016. The OCR investigation found multiple violations of the HIPAA Privacy, Security, and Breach Notification Rules, including impermissible use and disclosure of PHI, failure to conduct an accurate and thorough risk analysis, and failure to provide timely notification to affected individuals and HHS. As of the OCR press release in July 2022, the Center had paid a $875,000 penalty to the OCR and agreed to implement a robust corrective action plan with two years of monitoring.
HIPAA Violation Penalties: The High Cost of Slow Records
Nine other healthcare entities were investigated and fined a total of $356,000 for violating the HIPAA Privacy Rule’s Patient Right of Access requirement, according to a July 2022 press release published by the OCR. The violators run the gamut from podiatry, ENT, and eyecare to psychiatry, family medicine, and surgical specialists. Below are just five examples, but all nine demonstrate the same pattern of providers either disregarding the Patient Right of Access requirement or not clearly understanding it. Neither is an excuse for non-compliance.
- ACPM Podiatry, with offices in Peoria and Canton, Illinois, failed to provide a former patient with his medical records after numerous requests and a nudge from the OCR. ACPM did not respond to multiple subsequent OCR inquiries and ignored the OCR’s Letter of Opportunity and Notice of Proposed Determination. Not surprisingly, the OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.
- Southwest Surgical Associates, a group practice with nine locations in Houston, failed to provide an individual with timely access to their health information. The practice agreed to corrective actions and paid a $65,000 penalty to OCR.
- Associated Retina Specialists, of New York, failed to provide a patient with a copy of her medical records until five months after the patient’s first written request—and three days after the OCR began its investigation. The practice agreed to take corrective action and paid a $22,500 penalty.
- Coastal Ear, Nose, and Throat, of Ormond Beach, Florida, failed to provide timely access to medical records after multiple requests from a patient. Coastal paid a $20,000 penalty to the OCR and agreed to implement specified corrective actions.
Patient requests records. Provider delays response or furnishes incomplete records. Patient files complaint. OCR investigates. Provider pays. Rinse and repeat. |
- MelroseWakefield Healthcare, of Massachusetts, did not provide a patient’s personal representative with timely access to medical records. The practice believed that the agent’s durable power of attorney did not allow medical records to be provided. This mistake cost the provider a $55,000 penalty and corrective action plan.
Between 2003 and 2019 the OCR investigated more than 39,000 complaints of potential HIPAA violations. Almost three-quarters of those investigations (70%) found failures in compliance and imposed corrective action requirements on the violators. Note that these numbers predate the OCR’s intense focus on Patient Right of Access violations—that initiative was announced in late 2019.
We share this data and these examples from recent OCR press releases to impress upon individual healthcare providers, large and small, the seriousness of HIPAA Security Rule and Privacy Rule compliance. The Patient Right of Access requirement, in particular, should be met on a consistent basis to avoid OCR complaint investigations and potential HIPAA violation penalties.
Summary
The Office for Civil Rights is an enforcement agency for the U.S. Department of Health and Human Services. The OCR investigates complaints filed by individuals who believe their HIPAA rights have been violated. It also investigates data breach reports submitted by healthcare providers and conducts random investigations.
In July, August, and September of 2022, the OCR published four press releases detailing misbehavior that cost 16 errant healthcare providers more than $1.9 Million in HIPAA violation penalties. In addition to the financial toll, the violators suffer the burden of implementing mandatory corrective actions under the watchful eye of the OCR.
Don’t let this happen to you. A security risk assessment is a vital step in identifying where your organization meets and fails to meet HIPAA requirements. Your HIPAA risk assessment will identify and prioritize shortfalls and provide actionable recommendations to resolve them. Call for a complimentary consultation and stop carelessly risking your money, your time, and your reputation.