HIPAA: Latest Right of Access Enforcement Actions Focus on Dental Practices
In September 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three Health Insurance Portability and Accountability Act (HIPAA) enforcement actions related to patients’ rights to access their medical records. The actions stemmed from complaints that the entities failed to provide patients with their medical records in a timely manner in the form and format of their choice, and for a reasonable cost.
Most Recent OCR Enforcement Actions
In this latest round of announcements, all three enforcement actions involved dental practices. One dental practice in Chicago provided only portions of a patient’s records, resulting in a $30,000 settlement and extensive corrective action plan. Another dental practice in Georgia would not provide the records until the patient paid a $170 copying fee, resulting in an $80,000 settlement and extensive corrective action plan.
In the third enforcement action, OCR’s investigation determined that a dental practice in Las Vegas received an email from a patient on April 11, 2020 requesting records of the patient and her minor child. The practice responded on April 14, 2020 that they were closed and offered to email the records if the mother could confirm the correct email address. The mother confirmed her email address on May 4, 2020. However, after multiple follow up requests from the mother, the practice then required the mother to submit a written request with her handwritten signature before it would provide the records. The mother submitted the written request on December 4, 2020 and the practice provided the records on December 31, 2020. OCR determined that the practice’s failure to provide the records in a timely manner was a potential violation of HIPAA. To resolve the potential violation, the practice agreed to pay $25,000 and implement a corrective action plan.
Questions to Consider
This enforcement action raises a number of issues that health care providers face on a daily basis regarding how to treat requests from patients for records, particularly those received by email.
- Can a patient request records by email?
- Can a parent request records of a minor child?
- Can an entity ask to email the records to a patient if the patient requested the records to be sent by mail?
- Can an entity require a patient to confirm an email address before sending records?
- When does the timeframe for responding to a patient’s request begin?
- Can an entity require a patient to submit a written request with a handwritten signature?
It is essential that entities analyze these and other questions when drafting release of information policies and procedures and when training staff. OCR has been clear that it is using the Right of Access Initiative to send a message to providers and to underscore the importance and necessity of HIPAA compliance. With forty-one total enforcement actions and a total settlement or penalty amount exceeding $2.8 million since 2019, the enforcement work of OCR through the Initiative remains strong.
For additional information or for questions about your entity’s own compliance with HIPAA, please contact Young Moore healthcare attorney, David Senter.