OCR Issues HIPAA Fine to Small Health Care Provider for Media Disclosure
On November 26, 2018, the Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS), announced that it had entered into a settlement agreement with Allergy Associates of Hartford, P.C. (Allergy Associates) regarding alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The settlement requires Allergy Associates to pay the OCR $125,000.00 and enter into a two-year Corrective Action Plan. Allergy Associates, a physician practice with four office locations in Connecticut, is comprised of four physicians and two mid-level providers. Despite the seemingly low settlement figure, this fine relates to a HIPAA Privacy Rule breach involving only one patient and is, therefore, significant in that it emphasizes the OCR’s focus on investigating smaller covered entities for breaches that affect very few patients. In fact, since 2015, the OCR has placed an emphasis on investigating smaller covered entities as well as breaches that affect less than 500 individuals following a report issued by the HHS Office of Inspector General finding that the OCR had historically focused its investigation efforts on larger covered entities and breaches affecting over 500 individuals.
The incident leading to the fine occurred in February of 2015. At that time, a patient presented to Allergy Associates for treatment while accompanied by a service dog and was allegedly asked to leave by an Allergy Associate physician because he and many of his patients were allergic to dogs. Following the incident, the patient reached out to a local TV station to voice her dissatisfaction with Allergy Associates and the TV station wrote a story about the incident and recorded an interview with the patient. The TV station also reached out to the Allergy Associates physician who allegedly ordered the patient to leave the office for his comment. According to the TV station, the physician would not provide a comment “on the record” but did speak with a reporter about the incident.
At or near the time she reached out to the TV station, the patient also filed a complaint with the Department of Justice (DOJ), alleging Allergy Associates had violated her civil rights under the Americans with Disabilities Act. The DOJ then forwarded the patient’s complaint to the OCR, which conducted an investigation into whether or not the patient’s rights under HIPAA had been violated.
The OCR’s investigation revealed that the Allergy Associate’s physician who spoke with the reporter had disclosed the patient’s protected health information (PHI) during the course of the interview. Moreover, the OCR discovered that Allergy Associate’s Privacy Officer had instructed the physician to either not respond to the reporter’s inquiry or respond with “no comment.” Finally, its investigation revealed that Allergy Associates did not sanction the physician after learning of the unauthorized disclosure.
Since 2013, the OCR has fined seven different covered entities 1 for reasons involving, at least in part, unauthorized disclosures of PHI to the media in violation of the HIPAA Privacy Rule. Notably, in 2016, OCR fined Memorial Herman Health System for conduct similar to Allergy Associates’ conduct. In that situation, a patient who presented for care at one of Memorial Hermann's facilities was arrested after presenting an allegedly fraudulent ID. The incident drew negative national media attention as the patient was an undocumented immigrant and, following her arrest, it was believed she may face deportation proceedings. In an attempt to defend itself from a public relations perspective, Memorial Hermann submitted a statement to several media outlets, which included the patient’s name. The statement was also posted to Memorial Hermann's website. The OCR determined that Memorial Hermann violated HIPAA by disclosing the patient’s PHI to the media outlets even though the patient’s identity became public through police records. Memorial Hermann agreed to pay $2.4 million in fines and entered into a two-year corrective action plan with the OCR.
The HIPAA Privacy Rule generally does not permit covered entities to disclose an individual’s PHI to the media without first obtaining written authorization from the individual. This rule applies even if the individual’s information is previously known to the media (as was the case in this situation).
While there is a limited exception to this rule (involving information reflected in a facility directory), HIPAA best practice dictates that covered entities have written policies specifically describing how media inquiries should be handled by their workforce members. These policies should make clear that PHI should not be disclosed to the media without first obtaining an individual’s authorization, while also addressing the limited exception to this rule. Such procedures should also reflect that statements made without individual authorization should be in terms general enough to apply across a population.
In this situation, the following is an example of a statement the physician could have permissibly made to the media: “It is the policy of Allergy Associates to create a safe and comfortable environment for all patients we care for; if, at any time, we believe the health or wellbeing of our patients is put in jeopardy, we seek to remedy the situation as best we can.” From a HIPAA perspective, the statement is permissible because it only discloses the practice’s general policy of creating a safe environment for all patients. It does not reveal any specific facts of the incident that could be used to identify the patient, even though the patient is known to the media and the practice could be said to be responding to, or defending itself against, the patient’s allegations made through the media.
HIPAA also requires covered entities to create, apply, and document sanctions imposed on its workforce members that violate HIPAA, regardless of the workforce member’s position. In this situation, although proximately connected to the unauthorized disclosure, Allergy Associate’s failure to properly sanction the physician responsible for the unauthorized disclosure was a separate violation of the HIPAA Privacy Rule.
Given this fine, as well as those preceding it, HIPAA covered entities of all sizes should enact or review their existing policies describing how media inquires are to be handled. These policies should make clear that individual authorization is needed in most instances before PHI can be disclosed to the media and should also reflect that statements made without individual authorization should be in terms general enough to apply across a population. Covered entities should also ensure that their workforce members are familiar with these policies and that those who violate the policies are appropriately sanctioned or disciplined in accordance with the policies. Covered entities of all sizes that fail to take these steps run the risk of violating HIPAA and, accordingly, a comprehensive legal review of media policies is advisable as is consultation with HIPAA counsel in the event that any concerns arise relating to compliance with such policies.
1See 45 CFR 160.103 for HIPAA’s complete definition of “covered entity”; however, the definition includes health care providers that engage in certain electronic financial or administrative transactions related to health care.