Health Information Compliance Alert

Case Study:

Does Big Fine for Single HIPAA Violation Spell Trouble for Providers?

Hint: Protecting even one patient’s privacy still matters to OCR.

In most cases, it’s only large-scale HIPAA violations that garner major headlines. However, a recent disclosure involving a single patient illustrates the serious consequences that even one HIPAA violation can bring.

Nuts and bolts: Connecticut specialist Allergy Associates of Hartford, PC (Allergy Associates) settled with the HHS Office for Civil Rights (OCR) for a HIPAA violation after one of the physicians gave out a patient’s protected health information (PHI) in an interview with a reporter, notes an OCR release. The small group practice, which consists of only three providers, consented to pay a $125,000 fine and adopt a corrective action plan for two years in response to the single breach from February 2015.

According to legal documents, Allergy Associates’ troubles began over a dispute with a patient who’d been denied treatment. “On February 20, 2015, an Allergy Associates Workforce Member had a conversation with a Reporter regarding the Reporter’s investigation of the Complainant’s allegation that she was turned away from Allergy Associates because of her use of a service animal,” said the Resolution Agreement. “The Workforce Member impermissibly disclosed the PHI of the Complainant. Following the impermissible disclosure, and after HHS notified Allergy Associates that it initiated its investigation, Allergy Associates failed to sanction the Workforce Member for the impermissible disclosure.”

Why Is This Case Important?

Over the past few years, privacy violations have taken a backseat to data security outages, which have monopolized much of the breach news. This case highlights, however, that HIPAA Privacy Rule compliance is still an issue. The Allergy Associates settlement is also a reminder to covered entities (CEs) to tread carefully with the media, and at the very least, have a system in place on how to address reporters’ questions without illegally divulging patients’ PHI.

Details: According to the feds, one of the CEs “impermissibly disclosed the Complainant’s PHI to an unauthorized third party,” said the Resolution Agreement. CEs and their business associates cannot use or disclose PHI, unless an exception has been given. This part of the violation falls directly under section 45 CFR, subpart 164.502(a) of the HIPAA Privacy Rule.

The second issue Allergy Associates ran into was not applying “appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures,” the Resolution Agreement maintained. This goes against the requirements of the Privacy Rule and specifically concerns section 45 CFR, subpart 164.530(e)(l) of the regulation.

“The OCR’s investigation concluded that the physician’s discussion with the reporter constituted ‘reckless disregard’ for the patient’s privacy rights,” write Philadelphia-based attorneys Bruce D. Armon and Karilynn Bayus of Saul, Ewing, Arnstein & Lehr, LLP in online legal analysis of the settlement. “The investigation further revealed that the disclosure occurred even after [Allergy Associates] AAH’s privacy officer counseled the physician to either not respond to the reporter or to respond with ‘no comment.’”

Federal input: “When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” stressed OCR Director Roger Severino in a release on the case. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

One of the more troubling factors in the case is the size and scope of the settlement for a single HIPAA violation committed by one CE, Armon and Bayus suggest in their analysis. “The [Allergy Associates] AAH settlement underscores that ‘isolated’ HIPAA violations in ‘small’ medical practices are also subject to investigation and enforcement by the OCR,” Armon and Bayus advise.

Revisit Privacy Rule Protocols

If anything is to be learned from the steep payment for this breach, it is that small providers must implement risk analysis and manage their HIPAA issues. Clearly, the OCR is ready to take action against even small practices for so-so Privacy Rule policies and the failure to follow through on them. Safeguarding your patients’ PHI needs to be at the top of your list as you revisit protocols and update HIPAA compliance training for 2019.

“This case illustrates the importance of having proper policies and procedures in place so that all staff are aware of how to properly address media inquiries regarding patients,” explains attorney Deborah George of Robinson & Cole in a blog post.

George continues, “that failure to take action against employees who violate HIPAA rules can have consequences. Regular staff training will help to avoid complaints and potential civil monetary penalties and, perhaps most importantly, will better protect patients’ privacy rights.”

Review the OCR release with the link to Allergy Associates’ Resolution Agreement at www.hhs.gov/about/news/2018/11/26/allergy-practice-pays-125000-to-settle-doctors-disclosure-of-patient-information-to-a-reporter.html.