The United States Department of Health & Human Services, Office of Civil Rights (OCR) announced a settlement this week with Allergy Associates of Hartford, P.C. whereby Allergy Associates agreed to pay $125,000 to resolve a HIPAA violation complaint that alleged the covered entity impermissibly disclosed the complainant’s Protected Health Information (PHI) to an unauthorized third party (a reporter) and that it failed to take appropriate sanctions against its workforce member. A copy of the Allergy Associates Resolution Agreement can be found here.

The OCR investigation revealed that a patient of Allergy Associates contacted a reporter about a dispute between the patient and a doctor. The reporter contacted the doctor for comment and the doctor was alleged to have impermissibly disclosed the patient’s protected health information to the reporter. OCR reported in its press release that the doctor’s discussion with the reporter occurred after the doctor was instructed by Allergy Associates’ privacy officer to either not respond or to respond with “no comment.” OCR also reported that their investigation revealed that Allergy Associates failed to take any disciplinary or corrective action against the doctor for the disclosure. Although the Resolution Agreement did not constitute an admission of liability on the part of Allergy Associates, it does call for payment of $125,000 and to submit to a two year corrective action plan. The plan will also require written privacy policies and procedures, staff training, additional reporting requirements, a document retention strategy, and to establish protocols that address appropriate administrative, technical, and physical safeguards to protect PHI from disclosure, particularly for media inquiries.

We wrote about a much bigger settlement of $2.4 million dollars last year with Texas Health System for a similar HIPAA violation, which also involved disclosure of patient PHI to the media. We cautioned then about covered entities interacting with the media and that caution bears repeating.

This case illustrates the importance of having proper policies and procedures in place so that all staff are aware of how to properly address media inquiries regarding patients. This case also shows that failure to take action against employees who violate HIPAA rules can have consequences. Regular staff training will help to avoid complaints and potential civil monetary penalties and, perhaps most importantly, will better protect patients’ privacy rights.