Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies
Wednesday, November 28, 2018
3 physicians fined for failure to comply with HIPAA policies
Print Mail Download i

On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations.  According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal.  While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies.

OCR claimed that the physician’s discussion with the reporter “demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by [the practice’s] Privacy Officer to either not respond to the media or respond with ‘no comment.’”  In particular, OCR expressed concern about complaining patients having their protected health information shared with the media and also concluded that the practice “failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.”

The settlement here illustrates a number of important points.  First, even small practices, and breaches involving as few as one patient, can be subject to enforcement actions and large settlements or penalties.  Second, having policies and procedures is not enough.  When workforce members (including physicians) violate those policies, the covered entity must sanction them in accordance with the policies.  Finally, after uncovering a breach, it is important to implement corrective measures to ensure that the same type of breach does not happen again.  Examples of corrective actions after a breach like this one include re-training employees on existing policies and implementing a policy requiring that statements to the media must be in writing and that the privacy officer must approve all statements in advance.

© Copyright 2024 Murtha Cullina

Current Legal Analysis

More from Murtha Cullina

Securities Group News: A Refresher (and update) On Data Privacy Requirements for Investment Advisors in the Commonwealth
by: Anthony R. Leone
New York City Considers Paid Vacation and the Right to Disconnect
by: Salvatore G. Gangemi
January 3, 2019 - Tax Group News: IRS Issues Initial Guidance on Deferral Option for Qualified Equity Grants
by: Marc T. Finer
Connecticut’s Salary History Inquiry Prohibition Effective As Of January 1, 2019
by: Matthew K. Curtin
Federal Court Dismisses Federal Securities Class Action Based on Data Breach
by: Edward B. Whittemore
Ten Things You Should Know About the 2019 Session of the Connecticut General Assembly
by: David J. McQuade
Another HIPAA Breach, Another 6-Figure HIPAA Settlement
by: Daniel J. Kagan
OCR Issues Anticipated RFI on HIPAA Modifications
by: Dena M. Castricone
Can Your Transfer of Family-Owned Business Stock or Assets be Avoided as a Fraudulent Transfer?
by: Michael P. Connolly
A Year-End Estate and Financial Planning Checklist: Make Your List and Check it Twice
by: Lisa P. Staron

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins