Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015. A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI. After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor. According to the Resolution Agreement:
(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).
(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).
According to the HHS press release:
“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”