HIPAA enforcement actions in the past year have continued to focus on the patient right to access initiative and large scale data breaches. While most of the recent enforcement actions focused on the patient right to access initiative, two noteworthy settlements stemmed from covered entities disclosing protected health information in response to negative online reviews.

Over the past year, the types, sizes, and locations of the investigated entities varied, and resulted in settlements ranging from $3,500 – $240,000. Department of Health and Human Services Office for Civil Rights (“OCR”) seemed to consistently impose comparatively higher settlements amounts for violations that resulted in large scale data breaches.

Negative Online Reviews

On June 5, 2023, OCR issued a press release regarding a recent enforcement action in which Manasa Health, a psychiatric center, disclosed protected health information (“PHI”) in response to negative Google reviews. Following OCR’s investigation into this incident, Manasa and OCR reached a settlement of $30,000.

This was the second instance of an OCR settlement resulting from an entity disclosing PHI while combating negative online reviews. Six months earlier, on December 14, 2022, OCR issued a press release regarding their settlement with New Vision Dental, who had been disclosing PHI in response to negative Yelp reviews. The settlement was $23,000. These settlements reflect OCR’s commitment to enforcing patient privacy, and in particular, online privacy.

Patient Right of Access Initiative Continues

OCR has continued to focus on its well-known patient right of access initiative and has announced 17 enforcement actions over the past year. To date, OCR has handed down 44 enforcement actions related to the patient right of access since the initiative began. The most recent patient right of access enforcements have ranged from $3,500 – $240,000 in fines. While most investigations resulted from a patient requesting their own PHI, covered entities came under scrutiny when they did not provide PHI to an individual requesting PHI behalf of their minor child, as well as when an individual requested records on behalf of their spouse. Other complaints included a representative of an estate requesting medical records and a legal personal representative requesting records on behalf of her mother.

The types, sizes, and locations of the entities targeted by this initiative range greatly. Covered entities subject to enforcement actions have included: physician practices, podiatry practices, otolaryngology practices, psychiatric practices, and dental practices. All of the settlements included corrective action plans, which mandated updated HIPAA policies, workforce member training, and OCR monitoring for a specified period of time.

Large Scale Breaches

While the patient right to access enforcements were the most frequent type of investigation leading to enforcement penalties, these actions made up a relatively small amount of the overall settlement value over the past year.

The largest settlement this year, which was announced on February 2, 2023, was related to a breach in which a threat actor gained access to 2.81 million individuals’ information that was held on a large hospital system’s servers. This organization paid $1.25 million dollars in the settlement.

While the right to access continues to be OCR’s apparent focus, large settlements related to data breaches show that security of PHI is taken seriously and continues to be an important OCR initiative.

Reed Smith will continue to track trends in OCR enforcement actions. Should you have any questions related to OCR enforcement please do not hesitate to reach out to the health care attorneys at Reed Smith.

This post was co-authored by Meghan A. Healey, a Reed Smith summer associate.