Allergy Associates of Hartford, P.C. (Allergy Associates), has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut.
In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s protected health information to the reporter.
OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or respond with “no comment.” Additionally, OCR’s investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.
In addition to the monetary settlement, Allergy Associates will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/allergyassociates/index.html
PUBLISHER COMMENT: One of the hardest issues for some physicians and organizations is to sit quietly while being attacked online or in the media. It seems particularly unfair that a patient can give their version but the provider cannot respond with their view of the facts. This regulatory action emphasizes the strict reality that the patient can talk about their care but the healthcare provider may not without permission of the patient. Another important point from this enforcement action is that the practice failed to discipline the physician (who could be an employee, partner, or practice owner) … HIPAA requires covered entities to have and enforce disciplinary policies and procedures against individuals who cause a HIPAA breach. Here, OCR found the highest level violation where the individual ignored a direct warning and no discipline was enforced.