Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI) HIPAA Enforcement Action; Northcutt Dental-Fairhope, LLC (Northcutt Dental) HIPAA Enforcement Action
HHS’s Office for Civil Rights (OCR) has announced resolution of two enforcement actions involving disclosures of protected health information (PHI) in alleged violation of the HIPAA privacy rule. In the first action, OCR imposed a $50,000 civil monetary penalty because a health care provider disclosed PHI in response to a patient’s negative online review. Although the patient had used a pseudonym to mask his identity when posting the review, the provider’s online response disclosed the patient’s real name and details about the patient’s condition and treatment. After the patient complained to OCR, OCR requested information from the provider, who acknowledged posting the response, declined to remove the response from its webpage, and failed to furnish OCR with relevant policies and procedures. OCR informed the provider that the disclosure violated the privacy rule and requested financial information necessary to determine an appropriate sanction. The provider refused to provide the financial information, contending that the requested documents did not “relate to HIPAA.” The provider failed to respond to administrative subpoenas and did not participate in attempts to resolve the matter by informal means. OCR determined that the appropriate penalty tier was for a violation committed with “willful neglect and not corrected,” requiring a minimum penalty of $50,000 per violation. Finding a single violation, OCR proposed a $50,000 penalty. Because the provider failed to request a hearing, the penalty became final.
In the second action, a provider agreed to pay a $62,500 settlement after disclosing lists of patients to a campaign manager and a marketing company assisting the provider with fundraising for his political campaign. Two campaign mailings were sent to a total of more than 5,000 patients. OCR asserted that the provider violated HIPAA by making the unauthorized disclosures, failing to designate a privacy officer, and failing to implement privacy or breach notification policies and procedures. In addition to the payment, the provider agreed to a corrective action plan (CAP) requiring review and revision of HIPAA privacy policies, including provisions related to uses and disclosures of PHI, the minimum necessary standard, business associates, and training; all security rule safeguards; and all breach notification requirements. After approval by HHS, the updated policies and procedures must be distributed to existing and new workforce members within specified timelines. Workforce members must be trained on the updated policies and procedures after HHS approves the training materials. The provider must submit two annual reports documenting compliance with the CAP, including evidence demonstrating that the provider implemented security measures in response to its most recent risk analysis and risk management plan.
EBIA Comment: These enforcement actions illustrate why it is crucial for all health care providers, health plans, and business associates to understand core HIPAA concepts—starting with being able to recognize PHI. Although it may seem particularly unfair not to be able to provide a detailed response to public criticism, OCR has made its position on this issue clear in prior resolution agreements, including one involving social media (see our Checkpoint article) and one involving newspapers (see our Checkpoint article). Unless a use or disclosure of PHI is for treatment, payment, or health care operations, an individual’s authorization is usually necessary. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXII.A (“What Information Is Protected?”) and XXVI (“Core Privacy Requirement #1: Use and Disclosure Rules”). You may also be interested in our webinar “Practical Application of HIPAA Use and Disclosure Rules for Group Health Plans” (recorded on 8/12/21).
Contributing Editors: EBIA Staff.