OCR Announces $125,000 Settlement for Disclosure of Patient Information to Reporter

Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The United States Department of Health & Human Services, Office of Civil Rights (OCR) announced a settlement this week with Allergy Associates of Hartford, P.C. whereby Allergy Associates agreed to pay $125,000 to resolve a HIPAA violation complaint that alleged the covered entity impermissibly disclosed the complainant’s PHI to an unauthorized third party (a reporter) and that it failed to take appropriate sanctions against its workforce member. A copy of the Allergy Associates Resolution Agreement can be found here.

The OCR investigation revealed that a patient of Allergy Associates contacted a reporter about a dispute between the patient and a doctor. The reporter contacted the doctor for comment and the doctor was alleged to have impermissibly disclosed the patient’s protected health information to the reporter. OCR reported in its press release that the doctor’s discussion with the reporter occurred after the doctor was instructed by Allergy Associates’ privacy officer to either not respond or to respond with “no comment.” OCR also reported in the press release that their investigation revealed that Allergy Associates failed to take any disciplinary or corrective action against the doctor for the disclosure. Although the Resolution Agreement did not constitute an admission of liability on the part of Allergy Associates, the Resolution Agreement does call for payment of $125,000 and to submit to a two year corrective action plan. The plan will also require written privacy policies and procedures, staff training, additional reporting requirements, a document retention strategy, and to establish protocols that address appropriate administrative, technical, and physical safeguards to protect PHI from disclosure, particularly for media inquiries.

We wrote about a much bigger settlement of $2.4 million dollars last year with Texas Health System for a similar HIPAA violation which also involved disclosure of patient PHI to the media. We cautioned then about covered entities interacting with the media and the caution bears repeating.

This case illustrates the importance of having proper policies and procedures in place so that all staff is aware of how to properly address media inquiries regarding patients. This case also shows that failure to take action against employees who violate HIPAA rules can have consequences. Regular staff training will help to avoid complaints and potential civil monetary penalties and, perhaps most importantly, will better protect patients’ privacy rights.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide