December 3, 2020

Volume X, Number 338


December 03, 2020

Subscribe to Latest Legal News and Analysis

December 02, 2020

Subscribe to Latest Legal News and Analysis

December 01, 2020

Subscribe to Latest Legal News and Analysis

Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies

On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations.  According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal.  While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies.

OCR claimed that the physician’s discussion with the reporter “demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by [the practice’s] Privacy Officer to either not respond to the media or respond with ‘no comment.’”  In particular, OCR expressed concern about complaining patients having their protected health information shared with the media and also concluded that the practice “failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.”

The settlement here illustrates a number of important points.  First, even small practices, and breaches involving as few as one patient, can be subject to enforcement actions and large settlements or penalties.  Second, having policies and procedures is not enough.  When workforce members (including physicians) violate those policies, the covered entity must sanction them in accordance with the policies.  Finally, after uncovering a breach, it is important to implement corrective measures to ensure that the same type of breach does not happen again.  Examples of corrective actions after a breach like this one include re-training employees on existing policies and implementing a policy requiring that statements to the media must be in writing and that the privacy officer must approve all statements in advance.

© Copyright 2020 Murtha CullinaNational Law Review, Volume VIII, Number 332



About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...

Daniel Kagan, Murtha Cullina, health care attorney, regulatory compliance lawyer, reimbursement issue legal counsel

Mr. Kagan is an associate in the Health Care Group of Murtha Cullina.  He represents hospitals, physicians and other health care clients with a wide range of regulatory, compliance, risk management and reimbursement issues.

Prior to joining Murtha Cullina, Mr. Kagan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court. 

Mr. Kagan received his J.D. with honors from the University of Connecticut Law School where he was a Notes and Comments Editor ...