Allergy Associates of Hartford, P.C. ("Allergy Associates"), has agreed to pay $125,000 to the Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services ("HHS") and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule. Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut.

In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates' doctor. The reporter subsequently contacted the doctor for comment and the doctor disclosed the patient's PHI to the reporter. OCR's investigation found that the doctor's discussion with the reporter demonstrated a reckless disregard for the patient's privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates' Privacy Officer to either not respond to the media or respond with "no comment." Additionally, OCR's investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media. In addition to the monetary settlement and resolution agreement, Allergy Associates will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

Why did the doctor do this — it seems so obvious that you wouldn't discuss a patient on television, especially after being told not to? I have a hunch as to why the doctor did what he did: this looked to him like a malpractice case, and he wanted to defend himself, and in malpractice cases, once the patient puts his/her care at issue, it can be discussed more openly as part of the defense, as outlined in this HIPAA FAQ:

A covered entity may use or disclose protected health information as permitted or required by the Privacy Rule, see 45 CFR 164.502(a) (PDF); and, subject to certain conditions the Rule typically permits uses and disclosures for litigation, whether for judicial or administrative proceedings, under particular provisions for judicial and administrative proceedings set forth at 45 CFR 164.512(e) (GPO), or as part of the covered entity's health care operations, 45 CFR 164.506(a) (PDF). Depending on the context, a covered entity's use or disclosure of protected health information in the course of litigation also may be permitted under a number of other provisions of the Rule, including uses or disclosures that are:

  • required by law (as when the court has ordered certain disclosures),
  • for a proceeding before a health oversight agency (as in a contested licensing revocation),
  • for payment purposes (as in a collection action on an unpaid claim), or
  • with the individual's written authorization.

Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of "health care operations" at 45 CFR 164.501 (GPO) includes a covered entity's activities of conducting or arranging for legal services to the extent such activities are related to the covered entity's covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse), including legal services related to an entity's treatment or payment functions. Thus, for example, a covered entity that is a defendant in a malpractice action or a plaintiff in a suit to obtain payment may use or disclose protected health information for such litigation as part of its health care operations. The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b) , 164.514(d).

But this wasn't a malpractice case and it was wrong to talk to the reporter about the patient without consent. So the appropriate response would be "No comment" or "I can't comment on the substance of the allegations without the patient's consent." Of course, you could add, "If you get the patient's consent, I'd be happy to talk to you."

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.