Fines

HIPAA Fines in Dentistry
Abyde News, Fines, HIPAA

The Bite of HIPAA:  True Stories of Dental HIPAA Fines

July 15, 2025 No comments yet

July 15, 2025 Running your dental practice comes with its unique set of challenges. You’re wearing multiple hats, and it’s a stressful fashion statement. While OSHA is always on your radar, just from the nature of dentistry, forgetting about HIPAA can be costly.  While you think your practice would never be in the hot seat, small dental practices, you’d be mistaken.  See how to avoid these common pitfalls in your dental practice, allowing you to continue running it effectively.    Time is of the Essence: Right of Access Under the HIPAA Privacy Rule, HIPAA not only defines how Protected Health Information (PHI) needs to be secured but also how it needs to be shared with authorized parties. Right of Access is a part of this rule. This rule requires healthcare providers to deliver requested patient records within 30 days of the patient’s request.  Gums Dental Care, a small Maryland dental practice, was fined for violating this HIPAA requirement. The patient initially requested their records in April 2019. The practice did not provide records until May 2022.  The patient alerted the Office for Civil Rights, which started a long, overwhelming journey for Gums Dental. The OCR intervened countless times, requiring the practice to provide the patient with their records.  The dental practice continued to refuse to provide the patient with records, leading to more legal battles, money, and time wasted.  The grand finale? Over three years from the date of the first request, and countless interventions from the OCR, the practice was fined $70,000.   Less is More As the saying goes, “If you can’t say anything nice, don’t say anything at all.” This rule applies to all forms of communication and also works to avoid HIPAA violations.  While social media brings people together, you must tread a fine line when handling PHI and posting online. One part of this is responding to patient reviews.  You cannot confirm or deny that a patient attended your practice, even if the patient is talking positively about their experience there. If you’d like to use someone’s story for marketing materials, like a before-and-after photo of their smile, ensure they sign a consent form.  If someone leaves a negative review, you cannot defend your practice by sharing information about the patient. For example, if a patient consistently posts bad reviews but fails to mention that they are always late, you should not call them out publicly online. Instead, address the issue privately and communicate with them securely. Dentists have been fined for social media violations. Dr. U. Phillip Igbinadolor, a dentist in North Carolina, lost his temper after a patient left a negative review on the practice’s Google page. After the dentist posted PHI in response, ridiculing the patient, the patient reported him to the OCR.  As a result, the OCR fined the practice $50,000, showing that the price of failing to simply “keep your words to yourself” can be extraordinarily steep.   Coming Clean is Key With cybercrimes in healthcare skyrocketing and large data breaches due to ransomware attacks increasing by 264%, having the proper safeguards in place is crucial.  While no practice can be completely immune from a breach, the right barriers in place can mitigate risk and minimize impact. However, if your practice is breached, you must notify the OCR and patients quickly.  Under the HIPAA Breach Notification Rule, patients must always be notified within 60 days, regardless of the size of the breach. If the breach affects fewer than 500, your practice must inform the OCR within 60 days after the calendar year in which the event occurred. If a breach affects more than 500, the OCR, and depending on the state, the Attorney General, must be notified within 60 days as well.  The Indiana Attorney General recently fined Westend Dental, a multi-location dental practice in Indiana, for its response to a ransomware attack.  While the breach occurred in October 2020, the practice did not alert the required parties until October 2022, two years after the initial attack. The Attorney General began investigating this attack after a patient complaint, and it was then discovered that the practice attempted to cover up a ransomware attack.  The investigation discovered that, in addition to violating the HIPAA Breach Notification Rule, Westend Dental had improper training, unprotected servers, no Security Risk Analysis (SRA), missing policies, and more.  The outcome? A $350,000 fine from the Attorney General, highlighting the importance of proactive compliance and properly notifying affected parties after a healthcare breach.    How to Protect Your Dental Practice While compliance for your dental practice might feel overwhelming, the right solutions can streamline your compliance program.  Smart software solutions can pinpoint vulnerabilities and provide actionable insights to avoid common pitfalls dental practices face. The right compliance software can also provide a comprehensive hub for everything HIPAA-related for your practice, including right of Access training, social media guidelines, and the SRA.  Meet with a compliance expert today to learn more about streamlining compliance for your dental practice. 

Deer Oaks HIPAA Fine
Abyde News, Fines, HIPAA

Double Trouble, Major Fine: How Two Breaches Cost Deer Oaks $225,000

July 9, 2025 No comments yet

July 9, 2025   Handling a HIPAA investigation is stressful enough. Add a ransomware attack in the mix? A HIPAA nightmare.  The Office for Civil Rights (OCR) announced its first fine under the latest Director, Paula M. Stannard—a behavioral health organization fined $225,000 and placed under a two-year Corrective Action Plan (CAP).  This fine culminated several violations, but at its core, it was the lack of a Security Risk Analysis (SRA). This latest enforcement highlights the OCR’s ongoing heightened enforcement and the importance of a thorough, proactive compliance program before issues occur.    What Happened?  The behavioral health provider, Deer Oaks, a Texas-based Covered Entity, was first investigated in May 2023 following a patient complaint.  It was discovered that following a pilot program for an online patient portal wasn’t properly coded, publicly disclosing 35 patients’ Protected Health Information (PHI). This PHI included sensitive discharge paperwork and medical assessments that were easily accessible online. Unfortunately, this was only the beginning of the investigation for Deer Oaks. The OCR expanded its investigation when the behavioral health provider faced a ransomware attack in August 2023.  A malicious actor used a compromised account and held over 170,000 patients’ information for ransom. While there is no confirmation if the provider paid the ransom, improper account security led to this massive breach.  With two major HIPAA breaches within three months, the OCR didn’t have to dig deep to find the common thread: the missing SRA. The SRA is a thorough assessment of potential vulnerabilities a practice might face. In this situation, an SRA could have identified the employee portal or account password management as a concern. This would allow the practice to address these issues proactively.  From the initial investigation triggered by a patient complaint in May 2023 to the ransomware breach in August, the OCR fined the practice nearly a quarter of a million dollars and mandated two years of government oversight. These costly few months served as a valuable lesson in proactive compliance.   Protecting Your Practice A lapse in compliance, no matter how short, can lead to serious consequences. That’s why proactive compliance is essential.  Need a wake-up call? Over $7 million in fines have been levied since the beginning of 2025. The OCR has heightened its enforcement, already eclipsing the number of penalties from last year.  As the OCR continues enforcing HIPAA legislation, a robust compliance program is vital for your practice’s success.  With the right solution, your practice can streamline HIPAA compliance and easily complete requirements, like the SRA, without disrupting your practice’s workflow.  Meet with a compliance expert today to learn more about streamlining HIPAA compliance for your practice. 

Small Practice HIPAA Fines
Abyde News, Fines, HIPAA

Small Practices, Big Fines: Understanding HIPAA Penalties

July 7, 2025 No comments yet

July 7, 2025   Did you know that over half of physicians work in small medical practices with 10 or fewer physicians?  You likely wear many hats when working in or even running your small practice, from taking care of patients to clerical work, and of course, HIPAA compliance.  Although other priorities may push HIPAA compliance to the side, being compliant is essential for the success of your practice.  It’s a common misconception that since a practice is small, the Office for Civil Rights (OCR) will not investigate it if an issue occurs.  The OCR has fined several small practices recently, with ramped-up enforcement, nearing $10 million within the year’s first half.  Here are some of the most recent fines imposed on small medical practices and how your practice can avoid them.   The SRA Superpower Comprehensive Neurology, PC, a small neurology practice in New York, was recently fined $25,000 after a ransomware attack exposed the practice’s insufficient protections for securing Protected Health Information (PHI). Specifically, the practice did not have a Security Risk Analysis (SRA).  The SRA is an annual assessment of your practice’s administrative, technical, and physical safeguards, reviewing potential vulnerabilities. When handled properly, the SRA allows you to mitigate risks before a situation occurs.  While commonly missed, the SRA is the foundation of a successful practice. To combat this, the OCR has recently enacted the Risk Analysis Initiative, which has brought increased scrutiny and led to nearly a million dollars in fines since its implementation late last year. Completing an SRA is paramount to protect your small medical practice from similar initiatives. The SRA is a crucial protective barrier, proactively preventing issues before they escalate into significant problems. For instance, if the practice completed an SRA, they could have seen any technological shortcomings that led to the severity of the ransomware attack.    Alert the Press!  Vision Upright MRI, a small California healthcare provider focused on medical imaging, was fined $5,000 in May.  In addition to missing an SRA following a breach, the small practice from California did not adequately inform patients. As part of the Breach Notification Rule, relevant parties, like impacted patients, the OCR, and, depending on the size of the breach, the media, and more, must all be notified following a breach. Patients can decide how to secure their information by being informed, and the practice should pay for credit monitoring.  With over 21,000 patients’ PHI compromised, the practice needed to notify several parties quickly. Regardless of the breach’s size, a practice must inform all affected patients within 60 days of discovery. However, given that this breach affected over 500 patients, the OCR, media, and some states (like California), the state attorney general also required notification within that time frame. Once you have mitigated the situation and understood the full scope, it’s time to alert all necessary parties. If the breach impacts fewer than 500 patients, while patients still need to be notified within 60 days, the practice must notify the OCR within 60 days of the calendar year in which it occurred.    Deliver Records Swiftly  Gums Dental Care LLC, a small dental practice in Maryland, was fined $70,000 after refusing to provide a patient’s medical records.  Under the HIPAA Privacy Rule, patients must receive their medical records within 30 days of request. This requirement, known as the Right of Access, is one of the most common violations.  In this situation, Gums Dental Care provided records three years after the initial request. To avoid similar penalties, ensure all staff are trained efficiently to provide patient records. Quickly addressing patient requests prioritizes their needs, secures your practice, and builds patient trust.   Simplifying Compliance for Your Small Practice While following the complexities of HIPAA might feel overwhelming, with the right solution, it doesn’t have to be.  Intelligent software can streamline compliance for your practice, alleviating the responsibility and freeing time to spend with patients.  Smart solutions also encompass HIPAA’s requirements, including the SRA, breach logs, and staff training.  Schedule a consultation today to learn more about simplifying compliance for your small practice. 

2023 OSHA Fines Increase
Fines, Legislation, OSHA

Inflation Strikes on Eggs and OSHA Fines

January 13, 2023 Comments Off on Inflation Strikes on Eggs and OSHA Fines

January 13, 2023 To keep up with inflation and the ever-changing cost-of-living adjustments, the U.S. Department of Labor announced changes to Occupational Safety and Health Administration (OSHA) civil penalty amounts today. As part of a Congressional act passed in 1990, the Federal Civil Penalties Inflation Adjustment Act, and amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the Department completes an annual review by January 15th to evaluate and adjust civil money penalty levels against inflation.  We can expect the new penalty amounts, shown below, to take effect on January 17, 2023. Currently, penalties for serious and other-than-serious violations are $14,502 per violation. With the recent update, we are seeing over a $1,000 increase to $15,625. Repeated violations aren’t getting a break either with an increase to $156,259 per violation from the previous $145,027.  Type of Violation Penalty SeriousOther-Than-SeriousPosting Requirements $15,625 per violation Failure to Abate $15,625 per day beyond the abatement date Willful or Repeated $156,259 per violation  Curious about state-specific updates? Per the U.S. Department of Labor, states that operate their own OSHA Plans are required to adopt maximum penalty levels that are at least as effective as Federal OSHA’s. State Plans are not required to impose monetary penalties on state and local government employers.  This new rule goes into effect on January 15, 2023. It will apply to any penalties assessed after January 15, 2023.  Before you go egging the next OSHA enforcement officer you come in contact with, remember that these annual updates are in place to remind you of the importance of maintaining a safe and healthful work environment.

Are you ready for an audit? Use our new HIPAA Audit Checklist to get prepared.

DOWNLOAD NOW
X