Allergy Center’s HIPAA Fine Nothing to Sneeze at

A Connecticut healthcare provider recently learned it’s better not to comment in public about a patient, even if that patient has disclosed his or her own protected health information (PHI) to others.

The incident involved Allergy Associates of Hartford, a provider specializing in the treatment of patients with allergies. The patient called a local television station after being turned away because of her service animal.

When the television station called the practice for comment, a physician spoke to the reporter, and in the process disclosed some of the patient’s protected health information, even though the physician had previously been advised to either ignore the reporter’s request or offer a simple “no comment.â€

Had the physician received permission from the patient to discuss the case, Allergy Associates would not have found itself in the position of having to defend a HIPAA violation.

The Department of Health and Human Services’ Office for Civil Rights (OCR) investigated and confirmed there had been a violation of the HIPAA Privacy Rule. Even after OCR contacted Allergy Associates about the breach, it failed to sanction the physician or to take corrective action.

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,†said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.â€

As a result, Allergy Associates of Hartford agreed to settle the case by paying $125,000 to OCR and by adopting a corrective action plan. As part of that plan, Allergy Associates must develop, maintain and revise its written policies and procedures governing the protection of patient health information, which must be reviewed and approved by HHS. Once approved, all employees must be made aware of the rules, be provided with training, and sign paperwork attesting to the fact they know what the rules are. If there is a reportable event, Allergy Associates must take appropriate actions against employees who are in violation.

Since April 2003, OCR has received more than 186,453 HIPAA complaints and initiated more than 905 compliance reviews. According to OCR’s own statistics, it has resolved more than 26,152 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates.

As of July 31, OCR has settled or imposed a civil money penalty in 55 cases resulting in a total dollar amount of $78,829,182. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

From the compliance date to the present, the compliance issues investigated most are compiled cumulatively, in order of frequency:

• Impermissible uses and disclosures of protected health information;
• Lack of safeguards of protected health information;
• Lack of patient access to their protected health information;
• Lack of administrative safeguards of electronic protected health information;
• Use or disclosure of more than the minimum necessary protected health information.

Although less prevalent, disclosing protected patient health information to the media does occur.

In September, OCR reached separate settlements with Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital for compromising the privacy of patients’ protected health information by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.

Boston Medical settled for $100,000, Brigham and Women’s Hospital paid OCR $34,000, and Massachusetts General paid $515,000.

It was the second HIPAA case involving an ABC medical documentary TV series. In April 2016, OCR settled potential HIPAA violations with New York Presbyterian Hospital for $2.2 million for the unauthorized filming of two patients.

Every healthcare organization not only would be well-advised to have HIPAA policies and procedures in place, but also ensure that all employees are trained about the do’s and don’ts.

Ignorance is not a defense and can result in fines of $100 to $50,000. Fines are even higher if the breach was due to willful neglect.

The Health Law Offices of Anthony C. Vitale can assist you in establishing proper HIPAA rules and procedures as well as defending you should a HIPAA breach occur. Contact us for additional information at 305-358-4500 or send us an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.