A Patient’s Disclosure of her Health Information Doesn’t Extinguish a Healthcare Provider’s HIPAA Obligations to Protect the Privacy of the Patient’s PHI

It is generally well known that the privacy and security regulations of the Health Insurance Portability and Accountability Act (“HIPAA”) protect the privacy of certain health care information.  Individuals with obligations to follow those regulations need to understand how to follow its requirements.  A recent settlement provides a learning opportunity for those individuals.

The November 2018 settlement ($125,000) and corrective action plan between Allergy Associates, a CT based medical practice, and the Office for Civil Rights (OCR) of the US Department of Health & Human Services provides some lessons.  The settlement arose from an Allergy Associates physician’s  response to a TV reporter’s inquiry related to a patient complaint.  In this case the patient, who uses a service animal, was denied access to Allergy Associates’ office because the service animal was with her.  That would appear to be a reasonable requirement in light of the fact that many of the health care practice’s patients may suffer significant allergic reactions to dog dander.  Unfortunately, a physician at Allergy Associates discussed the patient when it was contacted by a television reporter, and in doing so disclosed PHI of the patient to the reporter.  The OCR cited both the impermissible disclosure of PHI and the fact that Allergy Associates failed to apply appropriate sanctions to the physician who made the disclosure.

Lessons from this settlement include:

  1. A patient’s disclosure of her health information doesn’t impact a Covered Entity’s HIPAA obligations.  Even though a patient discloses her PHI to third parties when she complains to the media about a healthcare practice, in response to any inquiries about the complaint a HIPAA regulated Covered Entity or Business Associate may not publicly share any PHI of that patient with the media or anyone else.  The patient’s public disclosure of her health information does not open the door which would allow a HIPAA covered operation to publicly discuss her PHI.  In this instance it’s likely that the amount of the settlement with this three physician practice was increased due to the disclosure of PHI to a television station, where there is a large audience of individuals who were made aware of the PHI.  The OCR press release about this settlement indicated that substantial penalties apply when there are “egregious disclosures”.

As stated in the OCR’s November 26 Press Release “When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

In addition to the monetary settlement, Allergy Associates has entered into a Corrective Action Plan with HHS,  which includes obligations to develop policies and procedures for HIPAA compliance, train employees in HIPAA compliance, as well as other actions.

The OCR’s press release and the resolution agreement can be found at https://www.hhs.gov/about/news/2018/11/26/allergy-practice-pays-125000-to-settle-doctors-disclosure-of-patient-information-to-a-reporter.html

Note: This article is for informational purposes only, and does not constitute legal advice.

December 2018