Public Information is Still Protected by HIPAA
Allergy Associates of Hartford, P.C., entered into a Resolution Agreement and agreed to pay $125,000 to the U.S. Department of Health and Human Services, Office for Civil Rights (HHS) in order to settle certain Health Insurance Portability and Accountability (HIPAA) violations relating to the impermissible disclosure of a patient's protected health information.
According to the Resolution Agreement, a patient filed a complaint against Allergy Associates with the Department of Justice and alleged that the healthcare provider had turned her away due to the patient utilizing a service animal. The patient also contacted a local television station to speak about this dispute. Thereafter, a reporter from the station contacted Allergy Associates to investigate the patient's claims. Although Allergy Associates' Privacy Officer had advised the workforce members to not comment on the matter to the media, a physician with Allergy Associates discussed the matter with the reporter. After learning of the disclosure and HHS notifying Allergy Associates that the agency had launched an investigation, Allergy Associates did not sanction the physician for the impermissible disclosure.
In addition to the payment of the settlement amount, Allergy Associates also entered into a Corrective Action Plan which required, among other things, that Allergy Associates report to HHS the sanctions and the mitigation steps the healthcare provider had taken in response to the disclosure incident.
This incident should serve as an important reminder that HIPAA still applies to protected health information even when individuals place their own information in the public domain. Covered entities and business associates may also want to consider adding specific information to their HIPAA policies and procedures relating to the handling of media inquiries, and make sure workforce members are trained on those policies.