In 2022, the Department of Health and Human Services, Office for Civil Rights (OCR) announced eighteen settlement agreements to resolve allegations of Health Insurance Portability and Accountability Act (HIPAA) violations. Most of these settlements were in relation to OCR’s HIPAA Right of Access Initiative, spotlighting the agency’s continued focus on enforcement in this area. The other enforcement actions involved improper disposal of protected health information (PHI), impermissible disclosure of PHI, and inadvertent disclosure of electronic PHI (ePHI) due to facility data breach.
HIPAA Right of Access Settlements
In March of 2022, OCR resolved two matters related to the HIPAA Privacy Rule’s Right of Access provision. In both cases, the covered entities allegedly withheld patient records. The settlements for these cases were $28,000 and $30,000, respectively. In both cases, it was the patient themselves requesting the records, but the Right of Access rules also apply to other treating providers seeking a patient’s records.
In July of 2022, OCR resolved eleven cases related to the Privacy Rule’s Right of Access provision. The facilities paid settlements ranging from $3,500 to $240,000. In one case, the facility did not respond to data requests from OCR, leading to a civil monetary penalty of $100,000. This civil monetary penalty highlights the importance of cooperation with OCR.
In September of 2022, OCR settled three cases with dental practices in Georgia, Nevada, and Illinois once again related to the Privacy Rule’s Right of Access provision. In each case, the practice fell out of compliance with HIPAA by failing to provide the patients with requested copies of their medical records.
The factual backgrounds of these enforcements were diverse. In one case, a provider denied records to a patient because the patient was not current on their bill. In another case, a provider denied access to a patient because it believed the patient’s durable power of attorney did not permit access. In a third case, a provider charged an access fee that OCR determined was not reasonable or cost-based, as required by law. The most common cause of access denials was errors on the provider’s part that allowed requests to slip through the cracks.
Although each of these enforcements came against providers, it is important to note that all covered entities (including health plans) are subject to HIPAA Right of Access rules, and could therefore be a target of enforcement.
Improper Disposal of PHI Settlements
In August of 2022, OCR settled a case with a New England dermatology practice related to its improper disposal of PHI. According to the breach report, empty specimen containers with PHI on the labels were placed in a garbage bin in the facility’s parking lot. The containers’ labels included the patient names and dates of birth, the dates of sample collection, and the name of the provider who took the specimen. The facility paid over $300,000, implemented a corrective action plan, and agreed to two years of monitoring.
Impermissible Disclosure of PHI Settlements
In March of 2022, OCR resolved two matters related to impermissible disclosure of protected health information (PHI).
The first of these enforcements involved impermissible disclosure of patient data in response to a negative online review. In addition, the covered entity did not respond to OCR’s data requests or subpoenas. As a result, OCR imposed a $50,000 civil money penalty.
In the other case, an Alabama dental practice impermissibly disclosed patient data to a third-party marketing company in connection with a state senator’s election campaign. The practice agreed to pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
Data Breach Settlement
In July of 2022, OCR fined a large public medical school $875,000 when the ePHI of over 200,000 patients was compromised in a data breach. Although the disclosure was inadvertent, OCR stressed that HIPAA covered entities are vulnerable to cyber-attacks and must take steps to secure their data. This settlement signals that OCR requires HIPAA covered entities to understand where ePHI is stored in their information systems. In order to have effective cybersecurity, covered entities must have accurate and thorough risk analysis and implement all of the Security Rule requirements. The medical school is also implementing a corrective action plan that includes two years of self-monitoring to ensure compliance with the plan.This is intended serve as a guide and is not a substitute for legal advice. Please reach out to the authors for any specific questions. We expect to continue to monitor these topics and provide future client updates when useful.
Sign up for our newsletter and get the latest to your inbox.