Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies
On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations. According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal. While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies. Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies.
OCR claimed that the physician’s discussion with the reporter “demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by [the practice’s] Privacy Officer to either not respond to the media or respond with ‘no comment.’” In particular, OCR expressed concern about complaining patients having their protected health information shared with the media and also concluded that the practice “failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.”
The settlement here illustrates a number of important points. First, even small practices, and breaches involving as few as one patient, can be subject to enforcement actions and large settlements or penalties. Second, having policies and procedures is not enough. When workforce members (including physicians) violate those policies, the covered entity must sanction them in accordance with the policies. Finally, after uncovering a breach, it is important to implement corrective measures to ensure that the same type of breach does not happen again. Examples of corrective actions after a breach like this one include re-training employees on existing policies and implementing a policy requiring that statements to the media must be in writing and that the privacy officer must approve all statements in advance.