Caution: Expect Right of Access compliance to remain a fixture in 2022. With the feds focused on COVID-19, cybersecurity, and policy turnarounds, you may have thought HIPAA privacy isn’t as important anymore — think again. Four recent resolutions prove that the cornerstone of HIPAA compliance should still be at the top of your to-do list. Details: After a very quiet start to the new year, the HHS Office for Civil Rights (OCR) announced enforcement actions against covered entities (CEs) on four separate HIPAA privacy-related cases on March 28. Of the cases, two fell under OCR’s Right of Access Initiative, which began in 2019, bringing the total number of enforcement actions under that program’s umbrella to 27. The other two violations concerned impermissible disclosure of patients’ protected health information (PHI). All of the cases involved healthcare providers — and interestingly, three of the actions were against dentists specifically — and all of the CEs agreed to some level of civil monetary penalty (CMP) for their violations. Here’s a breakdown of the four cases with compliance tips based on the resolutions: 1. Give patients’ their records when requested — Right of Access part 1. After failing to provide a patient with their medical records, Butler, Pennsylvania-based dentist Donald Brockley received a letter of noncompliance from OCR in August of 2019. His nonresponse led to OCR sending another letter in November 2020 while imposing a hefty $104,000 CMP for the Right of Access violation, the resolution shows. Brockley opted to fight that CMP, and he “requested a hearing before an Administrative Law Judge (ALJ) to contest HHS’s imposition of the CMP and the matter was docketed before the Civil Remedies Division of the Departmental Appeals Board (DAB) of the United States Department of Health and Human Services as Docket No. C-21-761,” according to the resolution. The two parties, HHS and Brockley, came to an agreement over the dispute, and the ALJ granted a stay on the legal proceedings. The dentist paid $30,000 to resolve the case, assented to updating his HIPAA policies and procedures, “including the Privacy Rule’s requirements concerning an individual’s Right of Access to protected health information (PHI), to all members of its workforce, train each workforce member on such policies and procedures, and provide the Complainant with her entire designated record set,” the resolution maintains. Brockley’s agreement mandates that he keep copies of training materials, have employees attest to training, and list the person providing the education. Tip: Train staff on the importance of patients’ rights to their records and ensure they receive what they’ve requested within OCR’s mandated time frame. Not only is it a critical part of HIPAA compliance with the Right of Access provision, but it’s also good business. You can find this guidance at 45 C.F.R. § 164.530(b) of the regulation. 2. Understand that the intersection of politics and HIPAA could spell trouble. You might think a run for state senator in Alabama is fairly straightforward, and it usually is, until you offer up your patients’ PHI for the campaign. In 2017, David Northcutt, DDM, who owns and operates Northcutt Dental-Fairhope, LLC (Northcutt Dental) in Alabama and Florida, gave his campaign manager a list of the names and addresses of 3,657 patients to send campaign letters to, according to the OCR resolution of the case. Additionally, Northcutt Dental in tandem with the campaign utilized a third-party marketing firm to send 1,727 more emails to patients in 2018. In total, the group impermissibly disclosed 5,385 individuals’ PHI to the campaign manager and Solutionreach, the marketing vendor, OCR says. Tip: The resolution points out that a couple of HIPAA Privacy Rule basics might have prevented these violations. First, Northcutt didn’t have a dedicated “privacy official” or compliance officer. “A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices,” reminds OCR guidance. These administrative requirements can be found at 45 C.F.R. § 164.530(a) of the provision. Second, the dental group lacked written HIPAA policies and procedures for both the Privacy and Breach Notification Rules, another administrative standard requirement, OCR indicates in the resolution, referencing 45 C.F.R. §164.530(i). Northcutt Dental agreed to pay $62,500 and enter into a corrective action plan (CAP) with OCR as part of its settlement. 3. Avoid gatekeeping medical records — Right of Access part 2. Jacob and Associates, a California-based psychiatric provider, failed to turn over a patient’s medical records in a timely manner despite repeated requests, OCR says in a release. “The patient mailed letters to the practice requesting the records on July 1 of each year from 2013 to 2018, but never received a response. She finally received the records in 2019 after traveling to the office and paying a fee, but (properly) complained to OCR,” summarizes partner attorney Eric D. Fader with law firm Rivkin Radler LLP in online legal analysis. Jacob and Associates entered into a CAP with OCR and agreed to pay $28,000 to settle potential Right of Access violations under the HIPAA Privacy Rule. Tip: Due to the rather lengthy trials the patient underwent trying to get her records, the psychiatry practice’s CAP includes a plethora of HIPAA requirements and extends six years. One point that OCR makes throughout is the importance of documentation and vigilant reassessment of policies. In a nutshell, report, analyze, and manage your risks. 4. Keep social media responses in check. One healthcare provider learned the hard way that social media interaction with patients may have negative consequences. While responding to a negative Google review, North Carolina dentist U. Phillip Igbinadolor “impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review,” notes an OCR release on the case. Plus, his practice, Dr. U. Phillip Igbinadolor, DMD & Associates, P.A. (UPI), ignored data requests from OCR, “did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination,” the agency says. OCR imposed a $50,000 CMP, which is significantly higher than past social media infractions. Reasons for the big fine may include failing to respond to OCR — and also failing to take down the dentist’s response to the patient from Google reviews. Tip: Though review sites can be a boon to providers, lack of social media policies and procedures can lead to mayhem. “Caution should be exercised” on review platforms, says attorney Joseph J. Lazzarotti with law firm Jackson Lewis P.C., in online legal analysis. “Disclosing a patient’s identity and the patient’s health status in a response to an adverse online review without the patient’s authorization is likely a violation of the HIPAA Privacy Rule.” Lazzorotti adds, “If not careful, and in the absence of a clear policy, casual and informal communications between practice staff and patients could expose the practice to significant risk.” Bottom line: “Between the rising pace of breaches of unsecured protected health information and continued cybersecurity threats impacting the healthcare industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” says OCR Director Lisa J. Pino in a release. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.” Resources: Review the four cases with links to resolutions at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/march-2022-hipaa-enforcement/index.html and peruse OCR resources for providers at www.hhs.gov/hipaa/for-professionals/index.html.