Photo by Karolina Grabowska

Lee SlatonBy Lee Slaton, Vice President of Healthcare; Smart Training

Last month, I recapped OSHA-related issues in 2022. Now we’ll do the same with regard to HIPAA.

In 2022, there were 17 “lucky” healthcare facilities—including dental practices—on the receiving end of HIPAA violations totaling a whopping $1,967,140. Sorry, folks—insurance doesn’t cover those fines, and you can’t write them off, either.

Violations covered the spectrum: there was a huge one related to a major hack, a few were PHI disclosures, and several were simply not providing patient records in a timely manner; but my favorite (for originality) was a dental practice in Alabama impermissibly disclosing its patients’ PHI to a campaign manager and a third-party marketing company related to a state senate election campaign. (Anyone want to bet on whether or not the campaign covered the cost of the practice’s $62,500 fine?)

Here’s a quick rundown on the whole lot, grouped by related violations.

Improper Disposal and/or Impermissible Disclosure of PHI

  • Oklahoma State University Center for Health Sciences experienced a hacking incident. The investigation revealed a failure to conduct an accurate risk analysis, noncompliance with the security incident response and reporting requirements of the HIPAA Security Rule, failure to conduct an evaluation following changes that affected the security of ePHI, a lack of audit controls, breach notification delays, and the impermissible disclosure of the PHI of 279,865 individuals. The case was settled for $850,000.
  • (Massachusetts) A practice disposed of empty specimen containers in regular dumpsters. The containers had labels that included the improperly disposed PHI of 58,106 patients. The case was settled with OCR for $300,640.
  • (Alabama) The previously mentioned Alabama dental practice impermissibly disclosed patients’ PHI to a campaign manager and a third-party marketing company in relation to a state senate election campaign. OCR also identified issues with the notice-of-privacy practices and there was no HIPAA privacy officer. The case was settled for $62,500.
  • (North Carolina) A dental practice impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000.

Records Not Provided in a Timely Manner

  • (Texas) A provider received five requests from a patient for complete records. It took over 500 days from the initial request for all the records to be provided to the patient. The case was settled for $240,000.
  • (Illinois) A practice didn’t provide a former patient with records he’d requested. Even after the OCR intervened, he was not provided the requested records because his insurance company had not paid for a bill. OCR imposed a penalty of $100,000.
  • (Texas) A practice took 13 months to provide a patient with all requested records. The case was settled for $65,000.
  • (Massachusetts) A provider received a request from a parent for her son’s medical records. It took the provider six months to comply. OCR settled the case for $55,000.
  • (Massachusetts) A provider received a valid request from a personal representative of a patient. Due to an error regarding the legality of the durable power of attorney, the requested records were provided four months later. The case was settled for $55,000.
  • (New York) A Buffalo provider failed to provide a patient with timely access to his medical records. OCR settled the case for $50,000.
  • (Nebraska) A provider failed to provide a patient with timely access to requested medical records. The case was settled for $30,000.
  • (Pennsylvania) A solo dental practitioner failed to provide a patient with a copy of their medical records in a timely manner. The practice owner settled out of court and agreed to a fine of $30,000.
  • (California) A provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. The case was settled and a financial penalty of $28,000 was paid.
  • (New York) A provider took 5 months to provide a patient with the requested medical records. The records were provided within days of OCR intervening. OCR settled the case for $22,500.
  • (Florida) An ear, nose, and throat practice received a request from a patient for a copy of medical records. Five months later, they provided the records. This case was settled for $20,000.
  • (Maryland) a dental practice failed to provide a patient with timely access to the requested medical records. OCR settled the case for $5,000.
  • (Massachusetts) A practice received a request for medical records, but access was refused to the patient due to an outstanding bill. The records were provided six months later. The case settled for $3,500.

Please, please, please, don’t just read’em and weep. These are all easily preventable. First things first: make sure all of your staff is up to date with the latest training on protecting your patients’ PHI. It is easy to do and can save you thousands of dollars. Assign someone knowledgeable on your staff to be your practice’s privacy officer. Have your privacy officer conduct a HIPAA Risk Assessment every year. It doesn’t matter how big or small your practice is or whether you’re in a big city or small town—patients are infinitely knowledgeable and serious about their PHI. You should be, too!

If you’re unsure of your practice’s compliance status, contact Smart Training. Smart Training has assisted over 15,000 dental healthcare professionals with their compliance needs.
Get Compliant.