Practice settles claim it used patient data in political bid

2022 04 01 15 27 1667 Legal Letter Contract No Gavel 400

An Alabama dental practice agreed to take corrective action to settle a potential HIPAA violation for reportedly disclosing patients' private health data to a campaign manager and a marketing firm hired to manage the owner dentist's political campaign.

Dr. David Northcutt, the owner of Northcutt Dental-Fairhope and a Republican who ran for the Alabama state Senate in 2017, agreed to pay $62,000 to the U.S. Department of Health and Human Services (HHS), according to the department's resolution agreement. Northcutt did not win the election.

"The agreement is not admission of liability by Northcutt Dental," according to the agreement.

In July 2017, Northcutt allegedly provided an Excel spreadsheet that contained the names and addresses of 3,657 patients of Northcutt Dental to his campaign manager. The manager reportedly used the information to mail letters about Northcutt's state senate bid to the patients. Though the letter was written on campaign letterhead, it addressed recipients as "Dear Valued Patient," according to the resolution.

In April 2018, Northcutt Dental purportedly sent an email communication to its patients about the dentist's campaign. The message was allegedly signed "Sincerely, Northcutt Dental."

The dental practice reportedly used a third-party marketing company, Solutionreach, to send the emails. The emails were sent to 5,385 patients, including the same patients who received the July letter, according to the agreement.

An HHS Office of Civil Rights investigation revealed that Northcutt Dental impermissibly disclosed the names and addresses of 3,658 patients when it shared this information with Northcutt's campaign manager in 2017. It did the same when it disclosed patient information to Solutionreach for purposes outside the service arrangement in place, according to the agreement.

According to the agreement, the practice has agreed to take corrective actions, including reviewing and revising its written policies and procedures to comply with HIPAA's privacy, security, and breach notification rules and to submit its proposed training materials to HHS for its review and approval.

Page 1 of 547
Next Page