Allergy Associates of Hartford, P.C. (Allergy Associates) has agreed to pay a fine of $125,000 to the Office of Health and Human Services’ Office for Civil Rights to settle alleged violations of the Health Insurance Portability and Accountability Act.
In October 2015, a complaint that had been filed with the Department of Justice (DOJ) was handed over to the OCR. The complainant claimed that Allergy Associates, a Connecticut healthcare provider that specializes in treating patients with allergies, had impermissibly disclosed her protected health information (PHI) to a TV reporter.
The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information while discussing the case with the reporter.
OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule 45 C.F.R. § 164.502(a), which covers the general rules of the uses and disclosures of PHI. Sharing the PHI with the reporter without the individual’s consent was deemed an impermissible disclosure of PHI.
The physician in question had already been advised by the practice’s Privacy Officer to ignore the reporter’s request for comment or to respond with ‘no comment.’ However, the physician chose to speak with the reporter and disclosed some of the patient’s PHI. OCR viewed the disclosure as ‘a reckless disregard for the patient’s privacy rights.’
After Allergy Associates was contacted by OCR about the privacy breach, Allergy Associates failed to apply appropriate sanctions against the physician concerned for a violation of the practice’s privacy policies and procedures, as is required by the HIPAA Privacy Rule (45 C.F.R. §164.530(e)(l)), which states “A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity“.
“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” explained OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”
Allergy Associates agreed to settle the case with no admission of liability. In addition to paying a financial penalty of $125,000, Allergy Associates has agreed to adopt a robust corrective action plan which includes two years of OCR monitoring the practice’s compliance with HIPAA Rules.