The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with Allergy Associates of Hartford, P.C., a three-physician allergy practice in Connecticut, for HIPAA Privacy Rule violations.
Alleged HIPAA Violation
According to OCR’s press release and corrective action plan, a patient of Allergy Associates contacted a reporter about a dispute between the patient and a doctor regarding the patient’s service animal. The reporter contacted the doctor for comment and the doctor was alleged to have impermissibly disclosed the patient’s protected health information to the reporter.
While the allergy practice had HIPAA policies and procedures in place, the physician did not adhere to the policies. Further, once OCR uncovered the issue, it also found that the practice failed to sanction the physician involved in accordance with its policies.
OCR claimed that the physician’s discussion with the reporter “demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by [the practice’s] Privacy Officer to either not respond to the media or respond with ‘no comment.’”
The OCR specifically expressed concern about complaining patients having their protected health information shared with the media. The OCR also concluded that the practice “failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.”
The six-figure settlement illustrates several important points:
- First, even small practices, and violations involving as few as one patient, can be subject to enforcement actions and large settlements or penalties.
- Second, having policies and procedures is not enough. When workforce members (including physicians) violate those policies, the covered entity must sanction them in accordance with the policies.
- Finally, it is important to implement corrective measures to ensure that the same violation does not happen again.
Some examples of corrective actions can include re-training employees on existing policies and implementing a policy requiring that statements to the media must be in writing and that the privacy officer must approve all statements in advance.