HIPAA Resources

Dental HIPAA Case Study | $25k Paid to HHS for Right to Access Violation

The Case

Welcome to a Bite-Size HIPAA® Case Study, where I will break down a real case of a HIPAA enforcement action at a dental office to see what we can learn and apply to your office.

Today, we are going to look at an interesting case study involving a single-doctor dental practice in Las Vegas. This practice found itself on the radar of The Department of Health and Human Services (HHS) in 2021 because of a patient complaint regarding her not getting prompt access to her chart.

Here’s what happened. On April 11th, 2020, a patient emailed the office asking for access to her and her minor child’s PHI. Three days later, the office replied explaining that the office was closed now, but offered to email the requested PHI to her if she confirmed her email address. By May 4th, the patient had confirmed her email but, somehow, the ball was dropped and the information wasn't sent.

After several additional requests, the office then asked her to submit a written request with her signature. The patient complied on December 4th and finally, on December 31st, she received the information.

HHS investigated the complaint and concluded that the dental practice failed to provide timely access to PHI pursuant to section 164.524(b). The result? The practice agreed to a resolution agreement including a $25,000 payment and a commitment to improving their policies, procedures, and staff training on responding to patient access requests.

The HIPAA LAW

The right of patients to access their medical records has been a hot topic of enforcement, lately. With HHS cracking down on 41 cases related to this very issue, it's clear they mean business. Let’s review the requirements to make sure your practice doesn’t find itself in the crosshairs.

Under section 164.524, patients have a broad right to access the data that providers have about them, except in a few specific circumstances. These exceptions include personal notes from mental health sessions, information compiled for legal defense, data from clinical trials, and instances where sharing the information could cause harm. Outside of these exceptions, practices must provide the data that the patient requested in a prompt and timely manner.

 Access must be provided within 30 days of receiving the request, unless that is not feasible. In that case, an extension of 30 days is available if the patient is notified. Practices may charge a reasonable fee for producing the data, but it must be directly connected to the actual cost of responding to the request.

 Practices may require individuals to make requests for access in writing, but only if they inform individuals of this requirement beforehand. Practices are allowed to require individuals to provide proof of their identity before granting access to their PHI. Finally, the law also provides the detailed steps to take if denying a request.

Case Analysis

So, what went wrong in this case?

When the request came in on April 11th, there wasn’t any apparent reason to deny access. It was a good idea to request the patient confirm their email address for security purposes, but after that email was sent, the practice was on the clock to respond. They had 30 days to comply, a window that they not only missed, but missed without notifying the patient of a reason for the delay.

We don’t know when they asked for a signed written request, but it seems likely that it was already past the 30-day window. This requirement would have been permissible if the practice had informed her when she first made the request, not after already responding to her email and agreeing to send the data.

In the end, it took over 8 months to provide this patient access to her data, which was clearly unacceptable to HHS. I want to give the practice the benefit of the doubt here; I am sure there was no malice intended and the requests just fell through the cracks in a busy, small practice. But if they had adequate procedures in place for handling access requests and thorough training on those procedures, they could have saved themselves $25,000 and more than a few headaches.

Protecting Your Practice Using Bite-Size HIPAA®

We address this topic in much more detail in Bite-Size HIPAA®, including a comprehensive procedure that will help your staff ensure they are fully complying with the law when handling PHI Disclosure Requests. If you haven’t made HIPAA a priority yet, start today. Join our online HIPAA community for dentists at bitesizehipaa.com. Explore and learn for 60 days, on us! Please watch every training course (we call them Bites) and explore the tools we’ve created to help ease HIPAA implementation and compliance. There is no risk. Give us a little bit of your time and we’ll teach you about the HIPAA law, why it exists and how, if done right, you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.

This article is available for members of our online HIPAA community for dentists.

Explore and learn FREE for 60 days!
No credit card required.

Join Now!
Todd Baker

Todd Baker, JD, CIPP

HIPAA & Privacy Attorney

Todd Baker is a uniquely qualified attorney with extensive experience regarding the intersection of HIPAA and technology. Todd earned his undergraduate degree in business at Boise State University and completed his law degree at the University of Virginia School of Law.

Content Tags

HIPAA education, compliance, and accountability created specifically for dental practices.

If you haven’t made HIPAA a priority yet, start today. Give us a little bit of your time and we’ll teach you about the HIPAA Law, why it exists, and how ‐if done right ‐you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.