OCR Penalizes Allergy Practice $125,000 for Impermissible PHI Disclosure

The Division of Health and Human Services’ Office for Civil Rights (OCR) has penalized a Hartford allergy practice $125,000 over suspected violations of the HIPAA Secrecy Law.

On October 6, 2015, OCR got a copy of a civil rights grievance that had been filed with the Department of Justice (DOJ). The plaintiff suspected Allergy Associates of Hartford – A Connecticut healthcare supplier that specializes in treating patients with allergies – had impermissibly divulged her protected health information to a TV correspondent.

The plaintiff had earlier got in touch with a local TV station after she had been turned away from the allergy practice due to her service animal. The TV correspondent subsequently contacted the practice requesting remark. A doctor at the practice spoke to the correspondent and impermissibly divulged some of the patient’s protected health information.

OCR’s inquiry verified there had been an impermissible disclosure of PHI, in violation of the HIPAA Secrecy Law – 45 C.F.R. § 164.502(a).

The doctor in question had already been advised by the practice’s Secrecy Officer to disregard the correspondent’s request for a remark or to reply with ‘no comment.’ However, the doctor chose to speak with the correspondent and released some of the patient’s PHI. OCR saw the disclosure as ‘careless disregard for the patient’s secrecy rights.’

After Allergy Associates was communicated by OCR concerning the secrecy breach, Allergy Associates failed to apply proper sanctions against the doctor concerned for a violation of the practice’s secrecy policies and procedures, as is required by the HIPAA Secrecy Law – 45 C.F.R. §164.530(e)(l).

“When a patient protests about medical practice, physicians cannot reply by releasing secret patient information to the mass media,” clarified OCR Director Roger Severino. “Because egregious disclosures can result in substantial fines, protected units need to pay close attention to HIPAA’s secrecy laws, particularly when replying to press queries.”

Allergy Associates agreed to resolve the case with no admission of liability. In addition to paying a financial penalty of $125,000, Allergy Associates has agreed to adopt a robust remedial action plan which includes two years of OCR checking the practice’s compliance with HIPAA Laws.