A Strong Message on Improper PHI Disclosure to News MediaHHS Imposes Penalty on Small Clinic and Demands Action
In at least the fourth federal HIPAA case involving improper disclosure of patient information to the media, federal regulators have slapped a three-doctor practice in Connecticut with a financial penalty.
In a Monday statement, the Department of Health and Human Services' Office for Civil Rights says it has signed a $125,000 settlement with Allergy Associates of Hartford, which has four locations in Connecticut.
The settlement comes in the wake of a February 2015 incident in which a patient of Allergy Associates contacted a local television station to speak about a dispute that occurred between the individual and one of the practice's doctors. The settlement document notes that the patient alleged that she was turned away from Allergy Associates because of her use of a service animal.
"When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media."
—Roger Severino, director, HHS OCR
The reporter subsequently contacted the doctor for comment, and the physician impermissibly disclosed the patient's protected health information to the reporter, OCR notes.
Settlement documents note that in October 2015, HHS received a copy of a civil rights complaint filed on behalf of the individual by the Connecticut Office of Protection and Advocacy for Persons with Disabilities.
HHS initiated a joint investigation with DOJ into the civil rights allegations against Allergy Associates. The complaint also alleged that Allergy Associates impermissibly disclosed the individual's PHI, the documents note.
Why Case Is Notable
"This case is notable because to my knowledge, this would the first enforcement action for failing to comply with the HIPAA Privacy Rule that also involved an investigation into other federal civil rights standards," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
OCR's investigation found that the doctor's discussion with the reporter demonstrated a reckless disregard for the patient's privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates' privacy officer to either not respond to the media or respond with 'no comment,'" HHS says in the statement.
Additionally, OCR's investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media, the statement notes.
"When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media," OCR Director Roger Severino said in the statement. "Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA's privacy rules, especially when responding to press inquiries."
In addition to the financial settlement, Allergy Associates has agreed to implement a corrective action plan that includes two years of monitoring its compliance with the HIPAA rules.
The settlement with Allergy Associates is at least the fourth enforcement case by OCR involving HIPAA privacy violations tied to disclosures to the media.
The series of enforcement actions emphasize "a line in the sand for HIPAA covered entities and their business associates," Holtzman says.
"The HIPAA Privacy Rule balances providing patients' rights to control how and when their protected health information is disclosed for purposes outside of treatment while allowing healthcare providers flexibility to use and disclose PHI in order to treat that patient or coordinate the continuation of that care with family members and partners," he notes. "Healthcare providers cannot expose patients or their treatment records to the glare of television lights or a reporter's notebook without first obtaining an authorization that meets the requirements of the HIPAA Privacy Rule."
In September, OCR slapped three Boston hospitals - Massachusetts General and Brigham & Women's and Boston Medical Center - with a financial settlement totaling $1 million for allowing crews for the documentary TV show "Save My Life: Boston Trauma" to film on their premises in 2014 and 2015 without obtaining authorization from patients (see: Hospitals Fined $1 Million After TV Crews Film Patients).
In a similar 2016 incident, OCR entered a $2.2 million settlement with New York-Presbyterian Hospital in connection with the filming of a similar ABC News documentary TV show, "NY Med." In that earlier settlement, OCR said the hospital allowed a TV crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.
And in May 2017, OCR slapped Memorial Hermann Health System, which operates 16 hospitals in the Houston area, with a $2.4 million settlement stemming from the 2015 disclosure of one patient's information to the news media without the individual's consent.
The recent settlement with Allergy Associates is the sixth enforcement action by OCR so far this year, with penalties totaling more than $25 million.
In October, OCR signed a record $16 million settlement with Anthem in the wake of a cyberattack on the health plan revealed in 2015 that resulted in a massive health data breach impacting nearly 79 million individuals (see: Anthem Mega Breach: Record $16 Million Settlement.)
The resolution agreement between OCR and Allergy Associates notes that the practice has agreed to take several corrective actions, including:
- Developing, maintaining and revising, as necessary, its written policies and procedures to comply with the HIPAA Privacy Rule and submitting those for review and approval by OCR. Those policies and procedures also need to address permissible and impermissible uses and disclosures of PHI for media inquiries.
- Distributing and updating those policies and procedures to the practice's workforce.
- Providing OCR-approved HIPAA training to the practice's workforce.
- Providing HHS with a description of the appropriate sanctions the practice has taken against workforce members who failed to comply with its privacy policies and procedures and the requirements of the HIPAA Privacy Rule.
Allergy Associates did not immediately respond to an Information Security Media Group request for comment on the settlement.
Lessons to Learn
Other covered entities and business associates should pay careful attention to this latest OCR enforcement action.
"It's most significant that this case appears to illustrate that OCR will take seriously individual complaints that implicate both civil rights authorities and HIPAA," says privacy attorney Iliana Peters of the law firm Polsinelli. "In other words, HIPAA covered entities and business associates should ensure compliance not only with HIPAA, but also with other civil rights laws, as they apply in healthcare."
Peters, a former OCR official, says it's important to note that OCR will take enforcement action against any organization, regardless of size.
"It's actually quite fitting that this case comes immediately after the Anthem settlement, which was the largest settlement to date with a very large entity regarding a breach. Here, we have the similar effort, in terms of government resources, with regard to investigating an individual complaint and enforcing HIPAA."
Further, HIPAA covered entities and business associates must remember that individuals get to make the decisions about what PHI about them disclosed to the public, and even if an individual shares information with the news media, the entity must still obtain an authorization to discuss PHI about the individual, she notes.
"If a workforce member does impermissibly disclose PHI, the HIPAA covered entity or business associate must sanction the workforce member and must keep documentation of such sanctions for at least six years, as required by the HIPAA rules," she says.
"OCR will look for a policy and procedure addressing workforce sanctions and for documentation that sanctions required by the policy were implemented in any particular disclosure situation. If the entity cannot produce either, they are liable for potential violations of the HIPAA rules."