Practice Settles With HHS Following PHI Disclosure

by Chris Brook on Tuesday November 27, 2018

Contact Us
Free Demo
Chat

A Connecticut-based allergy practice agreed to pay $125,000 this week to settle the disclosure of patient information to a reporter.

A Connecticut-based allergy practice agreed this week to pay $125,000 to settle a civil rights complaint filed that alleged the health care practice impermissibly disclosed an individual's protected health information (PHI).

The firm, Allergy Associates of Hartford, P.C., a professional association of allergists, provides diagnostic and therapeutic treatment to adults and children at four locations in the state: Hartford, Meriden, Glastonbury, and Ellington.

The issue dates back to 2015 when a patient at the practice contacted a local television station, a Hartford FOX affiliate, FOX 61 after being kicked out of the office for having a service animal.

In a news package that ran on FOX 61 February 20 of that year, a reporter for the station said the complainant’s doctor discussed the situation by phone for about 20 minutes but didn’t go on the record.

That conversation, at least according to an investigation carried out by HHS, disclosed the patient's PHI.

According to HHS’ resolution agreement (.PDF) – made public Monday – the department received a civil rights complaint in October 2015 after the patient filed it with the Connecticut Department of Justice office and the U.S. Attorney's Office vis-à-vis the Connecticut Office of Protection and Advocacy for Persons with Disabilities (OPA)

45 C.F.R. §164.502 (a) of the HIPAA Privacy Rule says "a covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter,” neither of which apply in this scenario.

To compound issues further, HHS said in the resolution agreement that Allergy Associates failed to sanction the employee who disclosed the patient's PHI, even after HHS informed the firm it would be launching an investigation around the incident.

It’s important to note the settlement isn’t an admission of liability by the firm or a concession the firm isn’t in violation of HIPAA, the Health Insurance Portability and Accountability Act Privacy Rule. If anything the agreement is more of a pre-emptive arrangement between the two, a resolution designed to spare both parties of the “uncertainty, burden, and expense of further investigation and formal proceedings.”

The agreement underscores the danger of disclosing a patient's protected health information to reporters. While this particular incident appears to have involved disclosure over the phone it would have been just as impermissible had it been disclosed via email or another electronic medium.

In addition to paying $125,000, Allergy Associates has to develop, maintain, and revise as necessary a corrective action plan to ensure it complies with standards that govern the privacy of PHI.

Part of the plan stipulates the practice implement protocols for employees who use and disclose PHI. It also requires the practice to implement “instructions and procedures that address appropriate administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure."

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” Roger Severino, Director of the Office for Civil Rights at the U.S. Department of Health and Human Services, said Monday, “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

Tags: Industry Insights, Healthcare

Recommended Resources


  • Best practices for managing DLP in healthcare
  • Overview of vendors' strengths and weaknesses
  • Top use-cases for DLP in healthcare
  • Top InfoSec concerns for healthcare professionals
  • How to protect sensitive data with DLP
  • Advice from security experts and analysts

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.