.st0{fill:#FFFFFF;}

Podcast

4 OCR Cases For Us – Ep 350 

 April 8, 2022

By  Donna Grindle

Share0
Tweet0
Share0

OCR enforcement actions

Have you heard the one about three dentists and a psychiatrist walk into… an OCR investigation? OCR has announced their first set of enforcement actions of 2022, and just in time for our 350th episode. These OCR cases involve patient right of access and improper disclosure violations.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

4 OCR Cases For Us – Ep 350

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

PriSec Boot Camp

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[03:25] Two things to point out:

  1. HIPAA does apply to dentists if they file electronic claims. We will get to that as our main topic of this podcast episode in a minute.
  2. When you leave a job HIPAA protections continue to apply to any information you learned as a result of your employment with a CE or BA. Forget you ever saw those details, ever. Any time you learn information in your personal life that would be considered PHI at work technically HIPAA protections do not apply to that information. However, most people expect a higher level of trust from those in the healthcare system.

405(d) Tip of the Week

[07:41] Check out the webinars included as part of the Spotlight Series on the 405d.hhs.gov website.

The 405d Spotlight Series shines a light on various cyber-related topics with an industry member at the heart of the discussion. The webinars are a forum to learn from industry members about the current landscape in cybersecurity and the threats facing the sector.

  • April 2021 Webinar – Monitoring and Responding to Cyber Threats
  • June 2021 Webinar – The Internet of Medical Things: Making Them Secure
  • August 2021 Webinar – Healthcare’s Enterprise Cyber Risk Management
  • October 2021 Webinar – A Case Study of “Cancer Care in the Wake of a Cyber Attack”
  • December 2021 Webinar – 2021 Cyber Threat Review

This comes out on Apr 8th so you have time to sign up for the next one! It will be on Wednesday, Apr 13 2022 [1:00] PM – [2:00] PM. CISA and 405(d) Fireside Chat! Learn about taking advantage of the CyHy resources available to critical infrastructure entities for free.

4 OCR Cases For Us

[12:56] 3 dentists and a psychiatrist walk into a bar.. uh… podcast.. wait… an OCR investigation……

This is the first announcement of enforcement actions in 2022.

Four HIPAA Enforcement Actions Hold Healthcare Providers Accountable With Compliance | HHS.gov

Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously. OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.OCR Director Lisa J. Pino

So two of these are patient right of access issues and two are improper disclosures issues.

Northcutt Dental, Fairhope, Alabama – Improper Disclosure – $62,500 and a 2 year CAP

In 2017, Dr. David Northcutt, owner and operator of Northcutt Dental, decided to run for state senator for district 32 in Alabama under the Republican Party. Dr. Northcutt engaged a campaign manager for assistance in this endeavor. On or about July 10, 2017, Dr. Northcutt provided an excel spreadsheet to the Campaign Manager which contained the names and addresses of 3,657 patients of Northcutt Dental. The Campaign Manager mailed letters to these patients to announce Dr. Northcutt’s run for state senate. The letter was on the campaign’s letter head but addressed the recipient as “Dear Valued Patient.”

On April 30, 2018, Northcutt Dental sent an email communication to its patients regarding Dr. Northcutt’s campaign. The email header showed the email as coming from “Northcutt Dental” and the email message was signed “Sincerely, Northcutt Dental.” Northcutt Dental used a third-party marketing company, Solutionreach, to send the emails. The campaign email was sent to the same patients that received the mailed letter in July 2017 plus an additional 1,727 patients, for a total of 5,385 individual recipients.

Here are the four violations cited in the Resolution Agreement:

  1. Northcutt Dental impermissibly disclosed the name and address of 3,658 individual patients when it shared this information with Dr. Northcutt’s Campaign Manager in 2017.
  2. Northcutt Dental impermissibly disclosed the name and email address of 5,385 individuals in 2018 when it shared this information with its marketing vendor for purposes outside the service arrangement in place.
  3. Northcutt Dental did not designate a privacy official until November 14, 2017.
  4. Northcutt Dental did not implement policies and procedures to comply with the requirements of the Privacy and Breach Notification Rules until January 1, 2018.

Following the timeline here tells its own story.

As a result, OCR’s settlement with Northcutt Dental was for $62, 500 and a two year corrective action plan. The settlement includes some very specific details about policies and procedures, security risk analysis, all the things we’re used to seeing in a two year corrective action plan to build a proper privacy and security program.

[23:14]

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), Charlotte, NC – Improper Disclosure – $50,000 CMP

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. UPI did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination.

Ultimately, OCR imposed a $50,000 civil money penalty against

Based on the information in the Notice of Proposed Determination, the practice failed to provide some of the information as requested by OCR (such as their social media policy re: uses and disclosures and financial information) and at one point said “I will see you in court.”

This situation is why we say that you have to have a social media policy that covers multiple things. What are you going to do when there’s a review? Who gets to control what’s posted on your website? How do you respond on your social media pages? And, what is it that can employees say about patience or work on their social media pages?

[31:29]

Dr. Donald Brockley, D.D.M., Butler, Pennsylvania – Right of Access – $30,000 Immediate CAP

After being issued a Notice of Proposed Determination, Dr. Donald Brockley, D.D.M requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which Dr. Donald Brockley, D.D.M agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.

Here is a timeline of events:

  • August 2019 the practice received a notice that they were in violation of Privacy Rule’s Right of Access provision.
  • Nov 3, 2020 HHS notified them of a CMP of $104,000
  • January 25, 2021 they requested a hearing with a HHS Administrative Law Judge.
  • October 8, 2021 a joint motion for a stay was granted because they were going to settle the matter with OCR.
  • The practice agreed to pay $30,000 to OCR and commit to update their Right of Access policies and procedures and train the staff by Dec 9, 2021.

We’ve talked about this before, don’t ignore OCR. It’s possible that if the practice had responded to them and showed remorse and that they were trying to fix the situation, that they’d not have to pay anything. But now, they’ve made OCR jump through all these hoops. Let’s hope this practice doesn’t cross OCR’s desk in the future, because if they do and they can’t prove they are following the law things will not go very well for them.

[36:54]

Jacob & Associates, California – Right of Access – $28,000 and 2 year CAP

On November 23, 2018, OCR received a complaint against Jacob & Associates from a patient (“Complainant”). Complainant alleged that on July 1 of each year from 2013 to 2018, she mailed letters in a stamped envelope addressed to Jacob & Associates requesting access to a copy of her medical records and, by the date of her complaint, had not received any response or records as requested.

HHS’ investigation revealed that Complainant most recently submitted a mailed written access request on July 1, 2018 for the records and did not receive a response. Complainant resubmitted the request by facsimile and Jacob & Associates provided Complainant a complete copy of her medical records (11 pages) on May 16, 2019, by electronic mail, as requested, after requiring her to travel to its office to complete its form to exercise her right to access, imposing a flat fee that was not cost-based ($25 per medical records request), and initially providing an incomplete (one page) paper copy of the records. Further, Jacob & Associates has not designated a privacy official and its Notice of Privacy Practices lacks required content.

The practice did so much wrong here. We’ve had several discussions in previous podcasts about a patient’s right to access their medical records and how to calculate fees for providing them. This has been in the Privacy Rule since its inception.

They often say “ignorance is bliss,” but I say it’s also expensive. David Sims, Help Me With HIPAA Podcaster

The practice agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule.

Go to top

It was nice of OCR to give us their announcement of the first big enforcement actions of 2022 for our 350th podcast episode. These announcements always give us insight to what OCR is looking for and not looking for. There is always something to learn from them.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: