Dental Practices are Targets of HIPAA Penalties
Dental practices take notice: the HIPAA enforcers are serious about HIPAA compliance, including adhering to HIPAA’s “right of access” requirement. Under HIPAA, individuals are entitled to “access” their health records maintained by a provider in a “designated record set.” The designated record set is essentially the patient’s health records and billing records maintained by a health care provider that is subject to HIPAA. The right of access includes the right to receive copies of health and billing records and the right to view such records maintained by the provider, upon request. Providers who withhold
such records when requested by the patient or do not provide timely access to such records within the timeframes required under HIPAA may be subject to hefty sanctions.
On September 20, 2022, the Department of Health & Human Services, Office for Civil Rights (OCR), the HIPAA enforcement agency, announced the settlement of three cases against dental practices for alleged violations of the right of access rule. The first settlement involved allegations that, although the dental practice provided portions of the patient’s record when the patient requested her entire record, the practice did not provide a complete copy of the patient’s record until more than five months after the request was made. Under this settlement, the dental practice agreed to pay a fine of $30,000 and implement a corrective action plan. The second settlement involved allegations that the dental practice did not provide the patient with a copy of her record for more than a year after the request was made, and that the practice withheld the record because the patient would not pay a $170 copying fee. The dental practice agreed to pay a fine of $80,000 and implement a corrective action plan. The third settlement involved allegations that the dental practice withheld a minor patient’s record for more than eight months after the patient’s mother requested the record. Under the settlement with the OCR, the practice agreed to pay a fine of $25,000 and implement a corrective action plan.
The OCR has now announced 23 settlements of investigations involving alleged violations of HIPAA’s right of access rule since the OCR began its “right of access initiative” in 2019. The HIPAA enforcers have made clear that patients have the right to receive timely access to their records at a reasonable cost in compliance with HIPAA.
If you need assistance with your HIPAA compliance program, an OCR investigation, or a data breach incident, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | email@example.com