Saul Ewing Arnstein & Lehr LLP

On November 26, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Allergy Associates of Hartford, P.C. (AAH) agreed to pay $125,000 to settle alleged HIPAA violations following a doctor’s  discussion with a reporter resulting in the disclosure of a patient’s protected health information (PHI).  The settlement is notable both because the medical practice is small (only three doctors) and the disclosure involved a single patient.

​On February 20, 2015, an AAH physician spoke with a reporter in connection with the reporter’s investigation of a patient’s complaint that she was turned away from AAH because of her use of a service animal.  In the conversation with the reporter, the doctor disclosed PHI about the patient, without the patient’s prior authorization.  The OCR noted that AAH never sanctioned the physician for the non-compliant HIPAA conduct.

The OCR’s investigation concluded that the physician’s discussion with the reporter constituted “reckless disregard” for the patient’s privacy rights.  The investigation further revealed that the disclosure occurred even after AAH’s privacy officer counseled the physician to either not respond to the reporter or to respond with “no comment.”

In addition to the $125,000 payment, AAH agreed to enter into a two-year corrective action plan (CAP) that requires AAH to:

  • develop and revise, as applicable, its HIPAA privacy policies and procedures, including disclosures relating to media-related patient inquiries and the application of sanctions against AAH workforce members who do not comply with these HIPAA policies;
  • distribute the policies and procedures to members of its workforce and provide workforce training; and
  • prepare an implementation report and annual reports with respect to its compliance with the CAP.

The AAH settlement underscores that “isolated” HIPAA violations in “small” medical practices are also subject to investigation and enforcement by the OCR and that covered entities of all sizes must have compliant HIPAA practices in place that are enforced by the covered entity.