The Case

Welcome to a Bite-Size HIPAA® Case Study, where I will break down a real case of a HIPAA enforcement action at a dental office to see what we can learn and apply in your office.

Today’s case takes us to Alabama, where a dental practice got into serious trouble with the Office for Civil Rights (OCR) for misusing patient information during a political campaign. This case highlights what happens when patient data is used for personal or business reasons that has nothing to do with healthcare.

In 2017, the owner of a dental practice decided to run for state senate. As part of his campaign, the dentist gave his campaign manager an Excel spreadsheet containing the names and addresses of over 3,600 patients. The campaign manager sent mailers to these patients announcing the dentist’s run for office. In 2018, the practice sent an email blast to over 5,000 patients, this time with the help of a third-party marketing company, to promote the campaign. The emails appeared to come directly from the dental practice, blurring the line between campaign activity and healthcare communication.

When OCR investigated, they found that the practice not only disclosed patient information improperly but also failed to have basic HIPAA safeguards in place. For example, the practice didn’t even designate a privacy officer until after the violations occurred. They also lacked policies and procedures to comply with the Privacy and Breach Notification Rules. OCR determined that the practice had violated the HIPAA Privacy Rule by impermissibly using patient data for campaign purposes. To settle the case, the practice agreed to pay $62,500 and implement a two-year corrective action plan. This plan requires the practice to adopt comprehensive policies and procedures, train its workforce on HIPAA compliance, and submit annual compliance reports to OCR.

The HIPAA Law

The most basic rule for disclosures of protected health information, or PHI, is a simple one. You can’t use or disclose PHI without patient authorization unless the use or disclosure is specifically permitted by law. So that means you either need to get written patient authorization every time you use PHI, or the use must fall under a permitted disclosure exception such as using PHI for treatment and payment purposes. It’s important to remember that even if a patient willingly shares their information publicly, like leaving a review or signing up for an email list, you, as a covered entity, can’t assume permission to use their information for any other purpose.

Case Analysis

So, what went wrong here? The main issue is that the practice used patient information for a purpose completely unrelated to healthcare, the owner’s political campaign. HIPAA is clear, PHI cannot be used for personal reasons, even if the intention seems harmless or well-meaning. Sharing names, addresses, or email addresses without explicit written authorization, and for purposes not explicitly permitted under the law, is a big violation. This wasn’t just a misunderstanding, it was a misuse of patient trust. PHI is shared with healthcare providers for the purpose of care, and patients expect it to remain confidential and used only to support their healthcare. Using that information for personal purposes, like promoting a campaign, launching a side business, or even organizing a fundraiser, crosses the line.

I realize that a doctor running for a senate seat is a fringe example. However, the temptation to use a database of familiar patients or customers for other entrepreneurial pursuits is not.

For example, if you’re opening a med-spa and decide to send promotional emails to your patient list, or if you share patient contact information to help a friend promote their restaurant, both would be clear violations of HIPAA. Even something seemingly positive, like inviting patients to a school fundraiser, raising funds for the youth sports organization you volunteer for, or even a community dental event, could violate the law if you don’t have their explicit authorization.

The takeaway here is simple, PHI is not your resource to use freely, no matter how well-intentioned the purpose. Always ask yourself, does this use of PHI directly support treatment, payment, or healthcare operations, or is it specifically permitted under HIPAA? If not, written authorization from the patient is required.

Protecting Your Practice Using Bite-Size HIPAA®

We address this topic in much more detail in Bite-Size HIPAA®, including comprehensive procedures and training that will help your staff ensure they are fully complying with the law when disclosing PHI.

If you haven’t made HIPAA a priority yet, start today. Join our online HIPAA community for dentists at bitesizehipaa.com. Explore and learn for 60 days, on us! Please, watch every training course (we call them Bites) and explore the tools we’ve created to help ease HIPAA implementation and compliance. There is no risk. Give us a little bit of your time and we’ll teach you about the HIPAA Law, why it exists, and how ‐if done right ‐you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.