Enter to open, tab to navigate, enter to select
Health Provider Must Pay HHS $125, 000 for Disclosing PHI to the Press
Practical Law Legal Update w-017-7746 (Approx. 4 pages)
Health Provider Must Pay HHS $125,000 for Disclosing PHI to the Press
by Practical Law Employee Benefits & Executive Compensation
| Published on 27 Nov 2018 • USA (National/Federal) |
The Department of Health and Human Services (HHS), Office for Civil Rights announced a $125,000 settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement, which involved a health provider's disclosure of a patient's protected health information (PHI) to a news reporter, also requires the provider to adopt a corrective action plan (CAP).
On November 26, 2018, HHS announced a $125,000 settlement with a Connecticut-based health provider for potential violations of the HIPAA Privacy Rule (see Practice Note, HIPAA Privacy Rule and HIPAA Privacy, Security, and Breach Notification Toolkit). The health provider, a HIPAA covered entity that specializes in treating individuals with allergies, must also adopt a corrective action plan (CAP) that addresses the provider's HIPAA policies and procedures.
HHS's Investigation Focused on Disclosure of PHI to the Press
This enforcement action arose from a dispute in early 2015 between the health provider and one of its patients, who claimed she was turned away from the provider because of her use of a service animal. The patient discussed the dispute with a local television station, which later contacted the health provider's office for comment on the dispute. In responding, the doctor involved in the dispute disclosed the patient's protected health information (PHI) to a news reporter for the station. On investigating the dispute, HHS found that the doctor discussed the dispute with the reporter despite being advised by the health provider's privacy officer to either not respond at all to the media or to respond with a "no comment." According to HHS, the health provider also failed to sanction the doctor for the impermissible disclosure of PHI.
Corrective Action Plan
In addition to paying HHS $125,000 to settle the action, the health provider must satisfy a CAP that requires it to develop, maintain, and update its written HIPAA policies and procedures. The revised HIPAA policies and procedures must incorporate HHS's comments on review, and HHS must also approve the health provider's revisions to its policies and procedures. Once HHS approves the revised policies and procedures, the health provider must timely distribute them to all workforce members. During the CAP's two-year term, the provider must update its policies and procedures at least annually or as necessary and obtain HHS's approval of any revisions.
Content Requirements for Policies and Procedures
The CAP sets out several substantive provisions that must be addressed in the provider's HIPAA revised policies and procedures. Specifically, the policies and procedures must include:
- Instructions and procedures addressing permissible and impermissible uses and disclosures of PHI, including for media inquiries.
- Instructions and procedures for administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure, including for media inquiries (see Practice Note, HIPAA Security Rule).
- Instructions and procedures addressing what is PHI and how to communicate with and respond to the media, including with regard to patient-related inquiries.
- Protocols for training all the health provider's workforce members who use and disclose PHI to ensure that they know how to comply with the governing policies and procedures, as revised (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).
- Use of appropriate sanctions against the health provider's workforce members who fail to comply with the policies and procedures (see Practice Note, HIPAA Security Rule: Security Management Process).
Reportable Events, Training, and Sanctions
A section of the CAP addressing reportable events requires the health provider to promptly investigate and report any information it receives regarding its workforce members' noncompliance with the HIPAA policies and procedures.
The health provider must also update its HIPAA training materials, obtain HHS approval for the revised materials, and provide HIPAA training for all workforce members (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). The training materials must be reviewed and updated as necessary at least once a year.
The health provider must also inform HHS of the sanctions it took against workforce members involved in the conduct that resulted in HHS's investigation (presumably including the doctor who disclosed PHI to the media).
Practical Impact
It's unclear from HHS's description of the dispute specifically what patient PHI the doctor disclosed to the media. Regardless, however, HIPAA covered entities must be very careful about how they respond to press inquiries. Though the doctor may have simply intended to get out the provider's side of the story, a "no comment" response – as recommended by the provider's own privacy officer – would likely have been the better approach. For its part, HHS characterized the doctor's discussion with the news reporter as demonstrating a "reckless disregard" for the objecting patient's privacy rights.
Another interesting aspect of this settlement involves how the government agencies may coordinate with one another in pursuing situations with HIPAA privacy implications. Here, HHS began a joint investigation with the Department of Justice (DOJ) after receiving a copy of a civil rights complaint filed with the DOJ on the patient's behalf. The complaint included allegations that the health provider had impermissibly disclosed the patient's PHI.