HHS Announces Four HIPAA Compliance Enforcement Actions With Health Care Providers

Bruce D. Armon, Samantha Gross

On March 28, 2022, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced the resolution of three investigations and one matter before an Administrative Law Judge related to compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. 

What You Need to Know:

  • Each of these actions involved small health care practices or sole practitioners.  
  • Health care providers of every size (not just hospitals and health systems!) and their business associates should see these enforcement actions as a reminder of the importance of complying with HIPAA.  

    Two of the matters relate to OCR’s HIPAA Right of Access Initiative (the “Initiative”). The Initiative supports individuals’ right to easily and timely access their health records at a reasonable cost under the HIPAA Privacy Rule. Including these two matters, there have been 27 OCR enforcement actions through the Initiative. The two additional enforcement actions announced involved health care providers accused of improperly sharing patient information with third parties. Each of these actions is summarized below.
    Dr. Donald Brockley, D.D.M.
    Dr. Brockley is a solo dentist in Butler, Pennsylvania. Dr. Brockley failed to provide a patient with a copy of their medical record and HHS notified Dr. Brockley that it was imposing a $104,000 civil money penalty. Dr. Brockley requested a hearing before an Administrative Law Judge and the dispute was resolved by a settlement agreement in which Dr. Brockley agreed to pay $30,000 and institute corrective actions, including ensuring policies and procedures and training were provided to all workforce members, and otherwise to comply with the HIPAA right of access standard.  
    Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI)
    UPI is a North Carolina dental practice. UPI impermissibly disclosed a patient’s name and protected health information as part of a lengthy reply on UPI’s Google review page in response to a negative online review. UPI ended its online post by suggesting that this patient “Get a life.” UPI did not respond to OCR’s data request or to a subsequent administrative subpoena. UPI waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.    
    Jacob & Associates
    Jacob & Associates is a sole proprietor psychiatric services provider in California. A complainant alleged that on July 1 of each year from 2013 to 2018, she mailed letters addressed to Jacob and Associates requesting access to a copy of her medical records. As of November 23, 2018, she had not received any response or the requested records. Jacob & Associates agreed to pay $28,000 and enter into a corrective action plan which includes a requirement to create HIPAA privacy rule policies and provide training for its workforce.
    Northcutt Dental-Fairhope, LLC (Northcutt Dental)
    Northcutt Dental is a dental practice in Fairhope, Alabama. Dr. Northcutt, the owner and operator of Northcutt Dental, ran for the Alabama state senate. Dr. Northcutt provided an excel spreadsheet to his campaign manager which contained the names and addresses of 3,657 Northcutt Dental patients. The campaign manager used this information to mail letters to the patients announcing Dr. Northcutt’s state senate campaign. Northcutt Dental also used a third-party marketing company to send emails to his practice’s patients regarding Dr. Northcutt’s senate race.  
    OCR investigated and found Northcutt Dental impermissibly disclosed its patients’ protected health information to the campaign manager and third-party marketing company. Northcutt Dental agreed to enter into a corrective action plan which required the practice to (i) revise its HIPAA policies, (ii) distribute those policies to workforce members, (iii) provide training to members of the practice’s HIPAA workforce, and (iv) pay $62,500 to resolve the allegations. Dr. Northcutt lost in his party’s primary run-off.   
    Health care providers – note each of these actions involved relatively small private practices and several sole practitioners – and their business associates should see these enforcement actions as a reminder of the importance of complying with HIPAA. “Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” OCR Director Lisa J. Pino said in a statement. 
    Saul Ewing attorneys regularly counsel and assist health care providers and business associates with respect to HIPAA compliance issues. For more information relating to Saul Ewing’s HIPAA practice, please contact the authors or the Saul Ewing attorney with whom you are regularly in contact.

Bruce Armon Headshot
Samantha R. Gross