The HHS Office for Civil Rights this past week announced the outcomes of three HIPAA investigations and brought another matter before a judge, signaling a continued prioritization of patients' rights to privacy and health data access under the law.

WHY IT MATTERS
Two of these cases are part of OCR's HIPAA Right of Access Initiative, and two are enforcement actions resulting from impermissible disclosure of patients' protected health information. Three of them involve dental practices.

• Jacob and Associates, a psychiatric medical services provider with two office locations in California, said it would take corrective actions and pay $28,000 to settle potential violations of the HIPAA Privacy Rule, according to OCR, including provisions of the right of access standard.
• Northcutt Dental, an Alabama-based practice, is alleged to have impermissibly disclosed its patients' PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign. It has agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule, says OCR.
• Dr. Donald Brockley, a solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record, OCR alleges. Brockley requested a hearing before an Administrative Law Judge; the litigation was resolved before the court made a determination by a settlement agreement in which Brockley agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule's right-of-access standard.
• Dr. U. Phillip Igbinadolor, DMD & Associates, a North Carolina dental practice, impermissibly disclosed a patient's PHI on a webpage in response to a negative online review, OCR alleges. The practice also did not respond to the OCR's data request, nor did it respond or object to an administrative subpoena and waived its rights to a hearing by not contesting the findings in OCR's Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.

THE LARGER TREND
The two new right-of-access settlements bring the total number of enforcement actions to 27 since the initiative began in 2019. Over the past three years, OCR has collected more than two-dozen settlements, usually in the tens of thousands of dollars, as it promised to "vigorously enforce" the patients' right to access their data in a timely fashion without being overcharged.

However, some patients are still forced to sue to gain access to their own healthcare data. Sometimes, the hindrances are deliberate. Oftentimes, they come from providers' misunderstanding of what the HIPAA Privacy Law stipulates.

Click here for a podcast interview with healthcare privacy attorney Matthew Fisher, who discussed proposed HIPAA changes and spoke in depth about OCR's continued emphasis on patients' right of access. 

ON THE RECORD
"Between the rising pace of breaches of unsecured protected health information and continued cybersecurity threats impacting the healthcare industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously," OCR Director Lisa J. Pino said in a statement announcing the new enforcements. "OCR will continue our steadfast commitment to protect individuals' health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.