Report on Patient Privacy 22, no. 4 (April, 2022)

By many measures, David Northcutt’s unsuccessful 2018 bid for the Alabama senate was a costly one. Northcutt, a dentist, loaned his campaign $73,000 throughout the previous year, part of a war chest that eventually reached more than $301,000. He came in second during the Republican primary but lost to Chris Elliott in a runoff in July 2018. Elliott won the general election and is now running for his second four-year term—unopposed.

Local media branded the campaign “vicious” due to barbs Northcutt and Elliott slung at each other—Northcutt highlighted a drunk-driving arrest of Elliott’s while he focused on a rebuke the dentist received for practicing with an expired license.^[1]

But, years after the election, Northcutt’s finances have taken another hit. Twice during the campaign Northcutt’s election manager and a vendor contacted more than 5,000 patients “to announce Dr. Northcutt’s run for state senate,” in the words of the federal government.^[2] Without admitting wrongdoing, Northcutt agreed to pay $62,500 and implement an extensive two-year corrective action plan (CAP) to settle allegations the mailings, which used protected health information (PHI) without patient authorization for nonallowable purposes, violated HIPAA. Through his attorney Richard Davis, Northcutt declined to speak to RPP about the settlement.

As unique as Northcutt’s settlement is, based on the political use of PHI, it is also rare for the Office for Civil Rights (OCR) to pursue violations by a dentist—yet Northcutt was one of three featured in four new enforcement actions OCR Director Lisa Pino announced simultaneously late last month. The nondental provider in a new settlement with OCR is Said Jacob, MD, a California psychiatrist.^[3]

The quartet represents the first enforcement actions OCR announced so far this year, but three of the cases were finalized in 2021. Northcutt’s agreement was signed in March, bringing an end to a saga that began in the summer of 2017, according to OCR.

As the agency said in the settlement agreement, Northcutt, owner of Northcutt Dental-Fairhope LLC, launched a run for state senate and “engaged a campaign manager for assistance in this endeavor.” On approximately July 10 of that year, Northcutt gave his campaign manager an Excel spreadsheet with the names and addresses of 3,657 of Northcutt’s dental patients. The manager sent letters on campaign letterhead addressed “Dear Valued Patient,” but the purpose wasn’t about their dental care; it was to announce his campaign.

Nearly a year later, the campaign dipped into patient PHI again.

“On April 30, 2018, Northcutt Dental sent an email communication to its patients regarding Dr. Northcutt’s campaign,” OCR said. “The email header showed the email as coming from ‘Northcutt Dental’ and the email message was signed ‘Sincerely, Northcutt Dental.’”

These emails were sent by a third-party marketing company. Some of the same patients were emailed who had received letters. All told, 5,385 individuals got the emails or letters. Both instances constituted impermissible uses and disclosures, prohibited under 45 C.F.R. § 164.502(a).

OCR investigators discovered two other issues—the practice didn’t have the required privacy official until Nov. 14, 2017, nor did it “implement policies and procedures to comply with the requirements of the Privacy and Breach Notification Rules until January 1, 2018.”

Fellow Dentist Highlighted Email Use

The settlement documents don’t specify who submitted a complaint or when. But another Alabama dentist who opposed Northcutt’s bid for elective office raised the issue in his own letter to some dentists, which was covered by Gulf Coast Media.^[4] A news article published on May 26, 2018, quoted from a letter by Dugald McMillan III, a dentist in Huntsville, Alabama, who drew attention to the emails patients received from Northcutt.

“I think using personal data for reasons other than health matters” is in direct violation of HIPAA rules, McMillan said in the letter, according to Gulf Coast Media. “Information Dr. Northcutt has collected over the years in his dental practice should not be used for personal gains. ‘Northcutt Dental’ is an entirely different entity than ‘Northcutt for the Senate.’ I doubt anyone realized their emails would be used for solicitations by Dr. Northcutt or anyone else in his campaign.”

McMillan wrote that a formal complaint had been filed to OCR and that “a case number has been assigned and I’m waiting on a ruling. At best, Dr. Northcutt has used poor judgment. At worst, he’s committed a huge violation and could face large fines,” McMillan’s letter said.

RPP left several messages with McMillan’s practice to update him on Northcutt’s $62,500 settlement, but he did not respond.

In agreeing to the settlement, Northcutt did not admit to wrongdoing. Although the complaint deals with specific impermissible disclosures, the CAP requires Northcutt to review and revise all policies and procedures related to the privacy, security and breach notification rules.

OCR spelled out the following areas to be addressed:

Privacy Rule Provisions:

• Uses and disclosures of PHI - 45 C.F.R. § 164.502(a).

• Minimum necessary - 45 C.F.R. § 164.502(b).

• Disclosures to business associates - 45 C.F.R. § 164.502(e)(1).

• Training - 45 C.F.R. § 164.530(b)(1).

• Safeguards - 45 C.F.R. § 164.530(c)(1).

• Changes to policies and procedures - 45 C.F.R. § 164.530(i)(2).

Security Rule Provisions:

• Administrative safeguards, including all required and addressable implementation specifications - 45 C.F.R. § 164.308(a)-(b).

• Physical safeguards, including all required and addressable implementation specifications - 45 C.F.R. § 164.310.

• Technical safeguards, including all required and addressable implementation specifications - 45 C.F.R. § 164.312.

Breach Notification Rule Provisions:

• Notification to individuals, including all required and addressable implementation specifications - 45 C.F.R. § 164.404.

• Notification to the media, including all required and addressable implementation specifications - 45 C.F.R. § 164.406.

• Notification to the secretary of HHS, including all required and addressable implementation specifications - 45 C.F.R. § 164.408.

Negative Review Drew Insults

The case involving U. Phillip Igbinadolor, D.M.D., & Associates PA (UPI), with offices in Charlotte and Monroe, North Carolina, began more than seven years ago.^[5] In 2013 and 2014, an unidentified male patient saw Igbinadolor and “on or about” Sept. 28, 2015, posted a negative review of the practice on its “Google page using a pseudonym, so as not to reveal his real name,” according to the settlement documents. This prompted a retort apparently penned by Igbinadolor, which used the man’s name, questioned his “level of intelligence” and accused him of “hallucinating”—among other insults.

Igbinadolor’s reply to the review said, in part, that the patient was referred elsewhere for a root canal and “never came back for his scheduled appointment Does he deserve any rating as a patient? Not even one star. I never performed any procedure on this disgruntled patient other than oral examinations. From the foregoing, it’s obvious that [Complainant’s full name] level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule. Making derogatory statements will not enhance your reputation in this era [Complainant’s full name]. Get a life.”

The patient filed a complaint to OCR a month and a half later, and in July of the following year (2016), the agency notified Igbinadolor that it was opening an investigation.

Lack of Cooperation Cited

OCR said it told Igbinadolor on April 3, 2017, to remove the response to the review, but it was still up as of Oct. 22, 2020, when it issued a “notice of proposed determination” indicating the agency intended to fine him $50,000 for the violation. OCR sent a final determination imposing the penalty on June 1 of last year.

Throughout the years, the agency continued requesting copies of his policies and procedures, to no avail. According to OCR, the practice “refused to provide the data that OCR requested and responded, in pertinent part, ‘I will see you in court,’” in September 2017.

Two months later, OCR issued an administrative subpoena, which “directed UPI to produce its policies and procedures related to the HIPAA Privacy Rule including, but not limited to, ‘social media’ and uses and disclosures of PHI; documentation of any training related to the HIPAA Privacy Rule; and income statements, balance sheets, statements of cash flow, and federal tax returns.”

Igbinadolor’s case provides insights into OCR’s investigative techniques, as well as how it arrives at determinations. It also demonstrates what agency officials have repeatedly said: cooperation is key.

OCR: No ‘Attempt to Mitigate’

For example, in its first data request to the practice, OCR asked for information relating to how it might have provided training after what it called “the incident.” This can signal to covered entities and business associates that they should be able to show concrete steps to address infractions, in the event OCR investigators come calling.

OCR asked for a copy of its “policies and procedures with respect to responding to patients’ reviews on online platforms; 2) a copy of UPI’s policies and procedures with respect, generally, to uses and disclosures of PHI; 3) a copy of UPI’s policies and procedures with respect to safeguarding PHI; 4) documentation of any HIPAA training conducted by UPI prior to, and in response to, the incident described in the complaint.”

But OCR wasn’t given the documents it requested nor did Igbinadolor reply when given the chance to present mitigating factors that could have been used to lessen the fine, nor request a hearing. “Despite repeated notice of this impermissible disclosure, UPI has not demonstrated any effort to mitigate any potential harmful effects of the impermissible disclosure or to come into compliance with the applicable provisions of the Privacy Rule by removing the PHI from its Google page,” OCR said in the proposed determination letter.

The agency did note there were no “prior complaints against, or compliance reviews of, UPI.”

Surprisingly, this is not the first such case of its type—and the previous one also involved a dentist. In October 2019, a dentist in Dallas agreed to pay OCR $10,000 for a similar response to a poor review about his practice posted on Yelp that disclosed a patient’s last name and other personal details.^[6]

1 John Sharp, “‘Negative,’ ‘personal,’ ‘regrettable’: The ugly showdown for a state Senate seat in Baldwin County,” AL.com, July 12, 2018, https://bit.ly/3K8xnM3.
2 HHS, Resolution agreement for Northcutt Dental-Fairhope LLC, March 8, 2022, https://bit.ly/3NO7XFs.
3 Theresa Defino, “Dentist Prevails in Fight Against $100K Fine,” Report on Patient Privacy 22, no. 4 (April 2022).
4 Cliff McCollum, “Senate candidate David Northcutt files complaint with Secretary of State about newspaper ads,” Gulf Coast Media, May 26, 2018, https://bit.ly/3DyzRRf.
5 Marisa M. Smith, “Notice of Proposed Determination,” HHS, October 22, 2020, https://bit.ly/3JaA5ix; Robinsue Frohboese, “Notice of Final Determination,” HHS, June 1, 2021, https://bit.ly/3K50FuX.
6 Theresa Defino, “OCR Wrist-Slap on Dental Practice Puts Focus On HIPAA-Compliant Responses to Reviews,” Report on Patient Privacy 19, no. 10 (October 2019), https://bit.ly/3NJSaaQ.

[View source.]