A private practice (Practice) comprising three physicians has agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $125,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). While the fine is small compared with OCR’s October announcement of the $16 million settlement with Anthem, it confirms OCR’s ongoing commitment to enforcing HIPAA compliance, regardless of an organization’s size or the number of impacted individuals. Additionally noteworthy is that this enforcement action originated with a civil rights complaint filed by the Connecticut Office of Protection and Advocacy for Persons with Disabilities with the U.S. Attorney’s Office for the District of Connecticut, which initiated a joint investigation into the matter with OCR.

In February 2015, a patient of the Practice contacted a local television station to inform a reporter of a dispute with one of the Practice’s physicians related to the patient’s service animal. When the reporter contacted the physician for comment, the physician responded to the inquiry and, in the process, released the patient’s PHI to the public, even though the Practice’s privacy officer counseled the physician not to respond to the reporter or to respond with “no comment.” OCR determined that the physician’s conversation with the media demonstrated reckless disregard for the patient’s privacy rights, and further found that the Practice failed to take corrective actions or sanction the physician following the impermissible disclosure.

In addition to the fine, the Practice agreed to enter into a two-year Corrective Action Plan (CAP), which requires it to, among other things: (1) update its HIPAA privacy policies and procedures related to media inquiries, training, and workforce sanctions; (2) retrain its workforce on the updated policies and procedures; and (3) take corrective measures and impose sanctions for the physician’s noncompliance in connection with the February 2015 impermissible disclosure.

This settlement is not the first to address the perils of healthcare providers’ interactions with the media. For example, OCR announced on September 20, 2018 that it entered into multiple HIPAA settlements totaling $990,000 with three health systems involving filming of a television network documentary series without first obtaining patient authorizations. On June 13, 2013, OCR also announced a $275,000 settlement with a medical center following publication of a newspaper article indicating that two of the medical center’s senior leaders met with the media to discuss medical services provided to a patient without the patient’s authorization.

It is important to remember that the fact that the patient has put his or her medical information at issue does not mean that the provider is authorized to similarly discuss the patient’s medical information in a public forum. From a HIPAA compliance perspective, providers are better served by either being generic in their responses to media inquiries or not responding to such inquiries at all. Even the mere acknowledgment that an individual is the provider’s patient may be an impermissible disclosure of PHI. To ensure compliance with the Privacy Rule, complaints are best addressed in confidence with the patient.

This settlement also joins several others where OCR noted a failure to sanction workforce members who have not complied with the covered entity’s privacy policies. Covered entities should ensure they adopt and implement a sanctions policy, consistently apply that policy when sanctions are appropriate, and document the actions taken pursuant to such policy.

OCR’s press release and resolution agreement with the Practice are available here.

For help with responding to a HIPAA complaint or investigation initiated by OCR or a state attorney general, developing or updating a HIPAA compliance program, or any other inquiries, please contact one of the authors.