No human instinct is as ingrained as the desire to defend oneself against unjust criticism. But that instinct must be tamed where personal health information is involved. A Connecticut medical practice has just learned that lesson — and at significant cost.
The incident began when the practice turned away a patient with a service animal. The aggrieved patient went to the media with her story. A local TV station took up her cause. A reporter sought comment from the practice. The practice Privacy Officer recommended that no comment be offered.
Ignoring this recommendation, one of the practice’s physicians elected to speak to the reporter. During the conversation, the physician allegedly disclosed some of the patient’s protected health information. The patient complained to the Justice Department, which referred the matter to OCR. OCR launched an investigation that concluded that the practice had impermissibly disclosed personal health information in violation of the HIPAA Privacy Rule—45 C.F.R. § 164.502(a). The investigation also determined that the practice had failed to undertake any corrective action against the physician.
The practice agreed to settle with no admission of liability. Together with paying the fine, it agreed to implement a stringent correction plan to verify HIPAA compliance. The episode underscores the perils of a quick-draw response to hostile media or patient queries. Even if a patient publicly (and perhaps even unjustly) criticizes the physician or covered entity, OCR may interpret HIPAA to require the latter parties to hold their peace.
At a minimum, the covered entity must tread very carefully. If a covered entity feels compelled to address public allegations, it must do so while conforming to HIPAA requirements. As always, when in doubt, consult with counsel.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.