A Connecticut allergy practice has agreed to pay $125,000 and enter a corrective action plan to settle an alleged Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule violation. According to the US Department of Health and Human Services (HHS), the violation occurred when one of the practice’s physicians disclosed a patient’s protected health information to a member of the media.
After a dispute developed between the patient and the physician, the patient contacted a local television station. In turn, the television reporter reached out to the physician for comment; that is when, according to HHS, the physician, who did not have the patient’s permission, disclosed the patent’s protected health information.
An investigation by HHS’s Office for Civil Rights (OCR) found that the physician’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the physician was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or respond with “no comment.” Additionally, OCR’s investigation revealed that Allergy Associates failed to take any disciplinary action against the physician or take any corrective action following the impermissible disclosure to the media.
“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”
In addition to the monetary settlement, Allergy Associates will undertake a corrective action plan that includes 2 years of monitoring their compliance with HIPAA rules. The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/allergyassociates/index.html.