“Expensive News”: Medical Practice Enters Into $125,000 HIPAA Settlement For Sharing PHI With a Reporter

Saul Ewing Arnstein & Lehr LLP

Saul Ewing Arnstein & Lehr LLP

On November 26, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Allergy Associates of Hartford, P.C. (AAH) agreed to pay $125,000 to settle alleged HIPAA violations following a doctor’s  discussion with a reporter resulting in the disclosure of a patient’s protected health information (PHI).  The settlement is notable both because the medical practice is small (only three doctors) and the disclosure involved a single patient.

​On February 20, 2015, an AAH physician spoke with a reporter in connection with the reporter’s investigation of a patient’s complaint that she was turned away from AAH because of her use of a service animal.  In the conversation with the reporter, the doctor disclosed PHI about the patient, without the patient’s prior authorization.  The OCR noted that AAH never sanctioned the physician for the non-compliant HIPAA conduct.

The OCR’s investigation concluded that the physician’s discussion with the reporter constituted “reckless disregard” for the patient’s privacy rights.  The investigation further revealed that the disclosure occurred even after AAH’s privacy officer counseled the physician to either not respond to the reporter or to respond with “no comment.”

In addition to the $125,000 payment, AAH agreed to enter into a two-year corrective action plan (CAP) that requires AAH to:

  • develop and revise, as applicable, its HIPAA privacy policies and procedures, including disclosures relating to media-related patient inquiries and the application of sanctions against AAH workforce members who do not comply with these HIPAA policies;
  • distribute the policies and procedures to members of its workforce and provide workforce training; and
  • prepare an implementation report and annual reports with respect to its compliance with the CAP.

The AAH settlement underscores that “isolated” HIPAA violations in “small” medical practices are also subject to investigation and enforcement by the OCR and that covered entities of all sizes must have compliant HIPAA practices in place that are enforced by the covered entity.

Written by:

Saul Ewing Arnstein & Lehr LLP

Saul Ewing Arnstein & Lehr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.