This article was originally published by the U.S. Department of Health and Human Services’ Office for Civil Rights on November 26, 2018.
Allergy Associates of Hartford, P.C. (Allergy Associates), has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut.
In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s protected health information to the reporter.
OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or respond with “no comment.” Additionally, OCR’s investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.
In addition to the monetary settlement, Allergy Associates will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/allergyassociates/index.html.
HIPAA Resources from LAMMICO
Healthcare providers can prevent incidents such as this one from happening in their practice by knowing and complying with the HIPAA Rule. It is important to note that it is the responsibility of the entire office staff to maintain HIPAA compliance and protect patient information – not just the responsibility of the healthcare provider. LAMMICO offers an educational course titled “HIPAA for Office Staff: Everyone's Responsibility” through our subsidiary risk management company, Medical Interactive Community. LAMMICO insureds can log in as a Member at LAMMICO.com to access this complimentary education.
Additionally, LAMMICO offers our insureds a library of content and resources on HIPAA through our online risk management resource Practice Solutions. Log in as a Member at LAMMICO.com to access these complimentary resources. LAMMICO insureds can also request a HIPAA compliance consultation for their practices. Our consultative services include guidance to complete a Security Risk Assessment, templates for forms, policies and procedures that are customizable and training for staff. The consultation will be tailored to the specific needs of the practice based on the results of a written or verbal assessment.
For more information on HIPAA, please contact the Risk Management and Patient Safety Department at 504.841.5211.