by Laurie A. Rinehart-Thompson, JD, RHIA, CHP, FAHIMA
The Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services has completed twelve HIPAA enforcement actions in the past year. Nine resulted from the OCR’s HIPAA Right of Access Initiative, bringing the total Right of Access cases to 27. Access violations during this time period included a solo practice dentist who failed to provide a patient with their medical record, resulting in a settlement and $30,000 payment. Overall, payments resulting from the Right of Access violations during this time period – one a Civil Monetary Penalty (CMP) - ranged from $5000 to $160,000. The CMP involved a physician who, after failing to provide a patient with a copy of their medical record, failed to cooperate with the OCR’s investigation and did not contest the OCR’s findings.
Two cases reported by OCR in March 2022 were the result of impermissible disclosures, both involving dental practices. One case resulted in a settlement and $62,500 payment, and the second case resulted in a CMP of $50,000. The CMP followed the disclosure of PHI on a web page in response to a negative online review of the practice. Thereafter, the practice failed to respond to the OCR and did not contest the OCR’s findings.
Security Rule violations detected in a compliance review of a laboratory and reported in May 2021 resulted in a $25,000 settlement. Violations included failure to complete a risk analysis, implement risk management and audit controls, and maintain documentation of policies and procedures.
Reference: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
About the Author
Laurie A. Rinehart-Thompson, JD, RHIA, CHP, FAHIMA is a Privacy & Security Project Leader on the OHIMA FY 2021-22 Board of Directors. Laurie is the Professor and Program Director of Health Information Management and Systems at The Ohio State University and is the author of Introduction to Health Information Privacy and Security, 2nd Edition, AHIMA Press.
