A dentist in Maryland is among the latest group of providers to pay either a settlement fee or a civil monetary penalty and agree to take corrective actions for potential violations of the HIPAA Privacy Rule.
The dentist paid $5,000 for failure to provide timely access to a patient’s medical record. Under the federal HIPAA Privacy Rule, covered entities must act on a patient’s request for access to their medical record within 30 days of receiving the request. However, dental practices in California must follow the stricter state timeline of 15 calendar days to provide patients access to a copy or electronic record and five working days for visual inspection of a record. (Learn more in CDA’s Patient Request to Access Records form and Q&A. Log in to your CDA account to access.)
The 11 enforcement actions announced July 15 by the U.S. Department of Health and Human Services’ Office for Civil Rights bring the total number of enforcement actions to uphold patient rights to access their health information to 38. Besides the dental practice, the OCR investigated a family health center, podiatry group, psychiatric consultants, an ear, nose and throat specialist and others. The dentist’s resolution agreement includes requirements to review and update policies and procedures, to train staff and to make specified reports to OCR.
$5,000 is the lowest settlement paid. One provider paid a $240,000 settlement, and another paid a $100,000 civil penalty fee after the OCR received a second complaint from the patient alleging they still had not been given access to their records.
Earlier this year, three dentists paid over $140,000 in combined HIPAA Privacy Rule settlements or penalties. Continue reading for that story and for additional CDA resources to assist with HIPAA compliance.
April 19: A solo dental practitioner, two dental practices and a psychiatric medical services provider are the latest health care providers to be held accountable for potential violations of the federal Health Insurance Portability and Accountability Act Privacy Rule.
The U.S. Department of Health and Human Services’ Office for Civil Rights on March 28 announced the resolution of three investigations and one matter before an administrative law judge.
The solo dental practitioner’s case was part of the OCR’s HIPAA Right of Access Initiative, which brings the total number of such enforcement actions to 27 since the initiative began in 2019. The enforcement actions against the two dental practices result from impermissible disclosure of their patients’ protected health information.
The dental practitioner and two dental practices paid a combined $142,500 either in an assessed civil penalty or to settle potential violations of the HIPAA Privacy Rule.
A summary of the settlement actions according to the HHS’s news release:
“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” OCR Director Lisa J. Pino stated in the news release.
The OCR created the right of access initiative to support individuals' right to access their health records in a timely way and at a reasonable cost under the HIPAA Privacy Rule. CDA has reported on previous right-of-access enforcements against small health care providers, including two in September 2020.
The federal HIPAA right of access provision requires dental practices and other HIPAA-covered entities to provide to individuals, within 30 days, access to their protected health information when requested ― including the right to inspect or obtain a copy of the information or to direct the entity to transmit a copy of the PHI to a designated person.
But California’s access-to-records laws are even more stringent. Both HIPAA and state law apply when providing patients with access to their health information. California dental practices and other health care providers must allow a patient to view their information within five days and must provide the patient with a requested copy of their records within 15 calendar days (compared to the 30 days required by the federal HIPAA rule).
Two free one-hour courses at CDA Presents The Art and Science of Dentistry in Anaheim in May will cover HIPAA compliance and patient records management.
Teresa Pichay, CDA’s senior regulatory compliance analyst, will review the essential elements of HIPAA compliance, including patient rights, uses and disclosures of information requiring patient authorization, required and addressable safeguards and employee training. She will also explain how to conduct a risk analysis.
“In my course I’ll explain how to manage common dental practice situations to reduce the risk of noncompliance, and you will leave with a checklist to guide your efforts,” Pichay said.
“Ask the Expert: HIPAA Compliance Essentials” will take place at 2 p.m. on Saturday, May 14, at The Spot in Hall D inside the Anaheim Convention Center. The course offers 1 unit of core C.E.
And at 10 a.m. on Friday, May 13, Katie Fornelli, senior practice management analyst at CDA, will present “Managing Patient Records — Who, What, When and How.”
“I’ll review best practices for managing patient records, and you’ll leave knowing how to navigate the most common patient-records scenarios in your practice,” Fornelli said. The course offers 1 unit of core C.E. and will take place at The Spot in Hall D.
Several CDA resources will help dentists comply with the HIPAA Privacy Rule, including the right of access provision. CDA members can log in to their accounts to access:
CDA members can head to CDA’s resource library to access even more resources on privacy and HIPAA.
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.