An exasperated doctor talked to a reporter who called to ask about a patient complaint. But they shouldn’t have!
The doctor was warned by the practice’s HIPAA Privacy Officer not to talk to the media but ignored the advice and paid the price.
Allergy Associates of Hartford, P.C. (Allergy Associates) agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule. Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut. The case was settled in 2018.
Patients May Disclose Their Own Information, but Their Doctors May Not
The frustrated patient, unhappy with their doctor, contacted a local television station to speak about a dispute that had occurred between the patient and the Allergy Associates’ doctor. The reporter then contacted the doctor for comment and the doctor impermissibly disclosed the patient’s protected health information (PHI) to the reporter.
The doctor may have been under the impression that since the patient first disclosed their own information that they had consented to the later disclosure by the doctor. This is not true. Patients may discuss their own PHI publicly, but the covered entities and business associates involved in their care must follow HIPAA and maintain the privacy and security of the patient unless the patient expressly authorizes such a disclosure.
Remember too, that PHI is defined very broadly – it does not need to contain a diagnosis, or symptoms. Simply acknowledging the name of a patient, or confirming that a certain person is a patient at a health care facility, is an impermissible disclosure of PHI. Review the 18 “identifiers” of PHI here.
Privacy Officers are Guardians of Patient Privacy and Your Organization’s Reputation
The “almost-Hero” of this story is the Privacy Officer who knew the law and tried to prevent this breach. The Privacy Officer is in charge of the HIPAA compliance program and the person to ask, the person to listen to, when it comes to maintaining compliance.
If the exasperated doctor who was frustrated with the situation had listened and followed the advice of the Privacy Officer, they would have preserved the practice’s reputation and avoided the $125,00 fine.
Every Question is Answered in The HIPAA E-Tool®
Privacy Officers can rely on The HIPAA E-Tool® for answers to all their questions, with legal citations to back up the policies, if needed. There is no reason to make this kind of mistake when help is available – affordable, trustworthy and up-to-date. Become a HIPAA Hero with back up from The HIPAA E-Tool®.