What NOT to Do: Four OCR Enforcement Actions



Last week, the OCR announced recent HIPAA enforcement actions.

Four small healthcare providers are being held accountable for potential HIPAA violations, two of which are part of the OCR’s HIPAA Right of Access Initiative. As we’ve discussed in past newsletters, the initiative was created “to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.” These two resolved issues bring the total number of actions under this initiative to twenty-seven.

OCR Director Lisa J. Pino said in the announcement: “Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously."

What can we learn from these new enforcement actions?

  1.  A solo practitioner in Pennsylvania failed to comply with the right of access standard by not providing a patient with a copy of their medical record. The result was an agreed upon settlement of $30,000 and a corrective action plan, including new compliance training for every employee of the practice.

  2.  A dental practice with two offices in North Carolina received a negative online review and included protected health information in their response on the website. This response was posted in 2015, and since then the OCR has made several requests for more information from the practice. After the practice failed to respond to the OCR’s data request and other communications, they were given a $50,000 civil money penalty.

  3.  A patient of a psychiatric medical services provider requested her medical records each year from 2013 to 2018 and received no response. After a complaint was filed the OCR investigated and found that the provider had no designated privacy official, and was missing policy content required by HIPAA. They agreed to pay a $28,000 penalty and take corrective actions.

  4.  An Alabama practice owner, David Northcutt, decided to run for state senator in 2017. Northcutt allegedly handed over an excel spreadsheet with the contact information for over 3,600 patients to his campaign manager for the purpose of distributing letters to announce his campaign. It was reported that he afterwards gave the emails of over 5,000 patients to a marketing company for the same purpose. Northcutt didn’t admit to these actions, but still agreed to pay $62,500 and move forward with a corrective action plan.

As we can see from these instances, small providers that want to prevent costly breaches should start by understanding the requirements of HIPAA compliance and training their employees on how to handle PHI.

If you’re a small, medium, or large healthcare provider wondering where to start, we recommend beginning by conducting a thorough Security Risk Analysis. A complete SRA will give you a clear vision of where your security measures may be weakest, so that you can move forward in minimizing risk.

A good risk management strategy follows these steps:

  1. Evaluate the likelihood and possibly impact of a breach.
  2. Put appropriate security measures in place to minimize these risks.
  3. Document implemented measures and why those protections were chosen.
  4. Update the security measures and documentation regularly.

If you have questions about compliance or when disclosing PHI is allowed under HIPAA, reach out to our team here.