Allergy Practice in Hartford Fined $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled potential HIPAA Privacy Rule violations with a Hartford allergy practice for $125,000

OCR received a copy of a civil rights complaint against Allergy Associates of Hartford, a healthcare provider in Connecticut specializing in the treatment of patients with allergies, from the Department of Justice (DOJ) on October 6, 2015. The complainant accused Allergy Associates of an impermissible disclosure of her protected health information (PHI) to a television reporter.

The complainant contacted a local TV station after the allergy practice turned her away because of her service animal. The TV reporter followed up on the story and called the practice and asked for comment. A doctor at the allergy practice talked to the TV reporter and impermissibly revealed some of the patient’s PHI. OCR’s investigation confirmed that the doctor had impermissibly disclosed the complainant’s PHI and violated the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a).

The allergy practice’s Privacy Officer had previously advised the doctor to pay no attention to the request for comments or to simply respond with ‘no comment.’ However, the doctor decided to talk with the reporter and revealed some of the complainant’s PHI. OCR considered the incident a careless disregard for the privacy rights of the patient.

After OCR contacted Allergy Associates regarding the privacy breach, the healthcare provider failed to apply appropriate sanctions against the doctor who violated the patient’s privacy and the  privacy policies and procedures of the practice, as is required by the HIPAA Privacy Rule – 45 C.F.R. §164.530(e)(l).

OCR Director Roger Severino said doctors should not disclose private patient information to the media in response to patient complaints about their medical practice. Egregious disclosures could bring about considerable fines, so covered entities should closely observe HIPAA’s privacy rules, particularly when answering press enquiries.

Allergy Associates chose to settle the case with no admission of liability and pay the $125,000 financial penalty. Additionally, Allergy Associates has agreed to undertake a corrective action plan to address noncompliance issues and will be closely monitored by OCR for HIPAA compliance for two years.