HIPAA: Latest Right of Access Enforcement Actions Focus on Dental Practices

In September 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three Health Insurance Portability and Accountability Act (HIPAA) enforcement actions related to patients’ rights to access their medical records. The actions stemmed from complaints that the entities failed to provide patients with their medical records in a timely manner in the form and format of their choice, and for a reasonable cost.

Most Recent OCR Enforcement Actions

In this latest round of announcements, all three enforcement actions involved dental practices. One dental practice in Chicago provided only portions of a patient’s records, resulting in a $30,000 settlement and extensive corrective action plan. Another dental practice in Georgia would not provide the records until the patient paid a $170 copying fee, resulting in an $80,000 settlement and extensive corrective action plan.

In the third enforcement action, OCR’s investigation determined that a dental practice in Las Vegas received an email from a patient on April 11, 2020 requesting records of the patient and her minor child. The practice responded on April 14, 2020 that they were closed and offered to email the records if the mother could confirm the correct email address. The mother confirmed her email address on May 4, 2020. However, after multiple follow up requests from the mother, the practice then required the mother to submit a written request with her handwritten signature before it would provide the records. The mother submitted the written request on December 4, 2020 and the practice provided the records on December 31, 2020. OCR determined that the practice’s failure to provide the records in a timely manner was a potential violation of HIPAA. To resolve the potential violation, the practice agreed to pay $25,000 and implement a corrective action plan.

Questions to Consider

This enforcement action raises a number of issues that health care providers face on a daily basis regarding how to treat requests from patients for records, particularly those received by email.

  • Can a patient request records by email?
  • Can a parent request records of a minor child?
  • Can an entity ask to email the records to a patient if the patient requested the records to be sent by mail?
  • Can an entity require a patient to confirm an email address before sending records?
  • When does the timeframe for responding to a patient’s request begin?
  • Can an entity require a patient to submit a written request with a handwritten signature?

It is essential that entities analyze these and other questions when drafting release of information policies and procedures and when training staff. OCR has been clear that it is using the Right of Access Initiative to send a message to providers and to underscore the importance and necessity of HIPAA compliance. With forty-one total enforcement actions and a total settlement or penalty amount exceeding $2.8 million since 2019, the enforcement work of OCR through the Initiative remains strong.

For additional information or for questions about your entity’s own compliance with HIPAA, please contact Young Moore healthcare attorney, David Senter.

Related links:

About the Author

David is a shareholder at Young Moore and a member of the firm’s healthcare industry group. He educates and advises clients in matters pertaining to healthcare privacy and data security, breach notification and reporting requirements, and Health Insurance Portability and Accountability Act (HIPAA) compliance. David currently serves as the Interim Associate Compliance Officer and Director of Privacy of an Academic Medical Center in North Carolina. He is a graduate of Wake Forest University and Wake Forest University School of Law and is recognized in the 2023 edition of Best Lawyers: Ones to Watch in America. Read more


Electronic mail or other oral or written communication to Young Moore and Henderson P.A. in connection with a matter for which we do not already represent you may not be treated as privileged or confidential. Communications are not privileged until the client and lawyer have agreed on legal representation. Please do not send confidential information to us via e-mail or in any other manner without first communicating directly with us about the attorney-client relationship. The transmission of an e-mail request for information does not create an attorney-client relationship. Your initial email should only contain a list of the parties interested in the matter so that we can make sure we have no conflicts before you convey any information about your case.

Accept Decline