Skip to main content


Dentists held accountable in Office for Civil Rights' HIPAA enforcement actions

11 providers pay over $646K in combined settlements, penalties

April 19, 2022 5407

July 26 update: Dentist pays settlement for potential HIPAA violation

A dentist in Maryland is among the latest group of providers to pay either a settlement fee or a civil monetary penalty and agree to take corrective actions for potential violations of the HIPAA Privacy Rule. 

The dentist paid $5,000 for failure to provide timely access to a patient’s medical record. Under the federal HIPAA Privacy Rule, covered entities must act on a patient’s request for access to their medical record within 30 days of receiving the request. However, dental practices in California must follow the stricter state timeline of 15 calendar days to provide patients access to a copy or electronic record and five working days for visual inspection of a record. (Learn more in CDA’s Patient Request to Access Records form and Q&A. Log in to your CDA account to access.)

The 11 enforcement actions announced July 15 by the U.S. Department of Health and Human Services’ Office for Civil Rights bring the total number of enforcement actions to uphold patient rights to access their health information to 38. Besides the dental practice, the OCR investigated a family health center, podiatry group, psychiatric consultants, an ear, nose and throat specialist and others. The dentist’s resolution agreement includes requirements to review and update policies and procedures, to train staff and to make specified reports to OCR.

$5,000 is the lowest settlement paid. One provider paid a $240,000 settlement, and another paid a $100,000 civil penalty fee after the OCR received a second complaint from the patient alleging they still had not been given access to their records.

Earlier this year, three dentists paid over $140,000 in combined HIPAA Privacy Rule settlements or penalties. Continue reading for that story and for additional CDA resources to assist with HIPAA compliance. 

Dentists pay over $140K in combined HIPAA Privacy Rule settlements, penalties

April 19: A solo dental practitioner, two dental practices and a psychiatric medical services provider are the latest health care providers to be held accountable for potential violations of the federal Health Insurance Portability and Accountability Act Privacy Rule.

The U.S. Department of Health and Human Services’ Office for Civil Rights on March 28 announced the resolution of three investigations and one matter before an administrative law judge.

The solo dental practitioner’s case was part of the OCR’s HIPAA Right of Access Initiative, which brings the total number of such enforcement actions to 27 since the initiative began in 2019. The enforcement actions against the two dental practices result from impermissible disclosure of their patients’ protected health information. 

Dentists pay settlements, penalties and take corrective actions 

The dental practitioner and two dental practices paid a combined $142,500 either in an assessed civil penalty or to settle potential violations of the HIPAA Privacy Rule.

A summary of the settlement actions according to the HHS’s news release:

  • A solo dental practitioner in Alabama failed to provide a patient with a copy of their medical record. After being issued a Notice of Proposed Determination, the dentist requested a hearing before an administrative law judge. The litigation was resolved by a settlement agreement before the court made a determination, and the dentist agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule's right of access standard.
  • A dental practice with offices in North Carolina impermissibly disclosed a patient’s protected health information on a webpage in response to a negative online review. The practice did not respond to the OCR’s data request, did not respond or object to an administrative subpoena and waived its rights to a hearing by not contesting the findings in the OCR’s Notice of Proposed Determination. The OCR imposed a $50,000 civil money penalty.
  • A dental practice in Alabama impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign. The practice agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” OCR Director Lisa J. Pino stated in the news release. 

HIPAA right of access provision: An Office for Civil Rights’ priority

The OCR created the right of access initiative to support individuals' right to access their health records in a timely way and at a reasonable cost under the HIPAA Privacy Rule. CDA has reported on previous right-of-access enforcements against small health care providers, including two in September 2020.

The federal HIPAA right of access provision requires dental practices and other HIPAA-covered entities to provide to individuals, within 30 days, access to their protected health information when requested ― including the right to inspect or obtain a copy of the information or to direct the entity to transmit a copy of the PHI to a designated person.

But California’s access-to-records laws are even more stringent. Both HIPAA and state law apply when providing patients with access to their health information. California dental practices and other health care providers must allow a patient to view their information within five days and must provide the patient with a requested copy of their records within 15 calendar days (compared to the 30 days required by the federal HIPAA rule).

Courses at CDA Presents will cover HIPAA compliance, patient records management

Two free one-hour courses at CDA Presents The Art and Science of Dentistry in Anaheim in May will cover HIPAA compliance and patient records management.

Teresa Pichay, CDA’s senior regulatory compliance analyst, will review the essential elements of HIPAA compliance, including patient rights, uses and disclosures of information requiring patient authorization, required and addressable safeguards and employee training. She will also explain how to conduct a risk analysis.

“In my course I’ll explain how to manage common dental practice situations to reduce the risk of noncompliance, and you will leave with a checklist to guide your efforts,” Pichay said.

“Ask the Expert: HIPAA Compliance Essentials” will take place at 2 p.m. on Saturday, May 14, at The Spot in Hall D inside the Anaheim Convention Center. The course offers 1 unit of core C.E.

And at 10 a.m. on Friday, May 13, Katie Fornelli, senior practice management analyst at CDA, will present “Managing Patient Records — Who, What, When and How.” 

“I’ll review best practices for managing patient records, and you’ll leave knowing how to navigate the most common patient-records scenarios in your practice,” Fornelli said. The course offers 1 unit of core C.E. and will take place at The Spot in Hall D.

CDA resources assist compliance with HIPAA Privacy Rule, right of access

Several CDA resources will help dentists comply with the HIPAA Privacy Rule, including the right of access provision. CDA members can log in to their accounts to access:

  • Uses and Disclosures of Patient Health Information provides an overview of the types of PHI uses and disclosures that require patient authorization.
  • Patient Request to Access Records Form and Q-and-A. A patient or patient representative may use this customizable records release form to request access to their patient record or to request a copy of the record for another person or entity. Instructions for the dental practice are included, and the Q&A covers “right to access,” when access may be denied, what the practice may allowably charge for access and more.

CDA members can head to CDA’s resource library to access even more resources on privacy and HIPAA.

Comments are only visible to subscribers.