The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $125,000 no-fault settlement and two-year corrective action plan with Allergy Associates of Hartford, P.C. (Allergy Associates) stemming from an incident involving a physician who impermissibly released protected health information (PHI) to the media.

In February 2015, a patient of Allergy Associates contacted a television station in Connecticut   about a dispute that had occurred between the patient and a physician at Allergy Associates. The dispute revolved around an allegation that Allergy Associates turned the patient away because she used a service animal. The television station contacted the implicated physician for comment soon thereafter and Allergy Associates’ Privacy Officer instructed the physician to remain silent on the matter. According to the HHS-OCR settlement announcement and Resolution Agreement, the physician ignored the Privacy Officer’s instructions and impermissibly disclosed the PHI of the patient to the television station. As a reminder, the Health Insurance and Portability Act (HIPAA) generally prohibits health care providers from disclosing a patient’s protected health information to media unless either (i) the patient or their personal representative authorizes the disclosure, or (ii) the disclosure fits within a HIPAA exception.

Following the impermissible disclosure, and after HHS notified Allergy Associates that it initiated its investigation, Allergy Associates failed to take any disciplinary action against the physician for this impermissible disclosure or pursue any corrective action following the disclosure. Please note that HIPAA requires a covered entity to have and apply appropriate sanctions against its workforce members who fail to comply with its own privacy policies and procedures or HIPAA’s privacy regulations, and further document such sanctions.

This settlement, announced on November 26, 2018, comes on the heels of three other media-related HHS-OCR settlements that DBR on Data reported on in September involving the disclosure of PHI in the course of filming a television series  at various hospitals in Massachusetts. Together, these recent HHS-OCR enforcement activities reflect HHS-OCR’s watchfulness as health care providers continue to face challenges that accompany increasing traditional and social media presence in daily health care operations.

If you have any questions about this HHS-OCR settlement or HIPAA compliance in general, please contact any member of Drinker Biddle’s Health Care Team.