The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), announced that a small professional association with three doctors and four locations (the “Practice”) has agreed to pay $125,000 and adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The potential violations occurred when a provider at the Practice responded to a television news reporter’s questions about a patient complaint, even though the Practice’s HIPAA Privacy Officer had instructed the provider not to respond or simply say “no comment.” Additionally, in the Resolution Agreement, OCR made particular note that the provider was not sanctioned for this impermissible disclosure.
Covered entities and providers are often frustrated when they feel unable to correct or clarify a news report about the care provided to a patient. This is especially the case when not just a particular entity but a specific provider is named in the news. However, even if only one side of the story is publicized, responding in a manner that violates HIPAA is not the proper course of action. Covered entities should have a thoughtful plan in place to respond to media requests in a compliant manner. When contacted by the media, covered entities do have certain options, provided that they do not identify the patient or confirm that they treated the patient making the complaint. Potential responses may include:
- Assigning a patient care representative to contact the patient and work to resolve the issue, if possible.
- Without confirming anything about the particular situation at hand, emphasize to the media that it is the covered entity’s policy, in accordance with HIPAA, not to respond to requests from reporters unless a patient has signed a valid HIPAA authorization.
- Highlight the policies or steps that generally are available to a patient making a complaint. For example, for a story about prices charged, a general explanation about health care costs and financial assistance plans that are available to patients could be discussed.
This settlement should remind covered entities of the importance of safeguarding patient information, even under difficult circumstances. To mitigate the risk of a similar violation, covered entities should:
- Review policies and procedures pertaining to media requests;
- Train workforce members to follow those policies and procedures and to understand the risks of responding to media requests;
- Ensure that all media requests for comments regarding patients are assessed by the Privacy Officer and legal counsel experienced in HIPAA matters;
- Utilize carefully prepared written statements rather than interviews when responding to media requests; and
- Sanction workforce members appropriately and consistently when they violate a covered entity’s HIPAA policies and procedures.
For further information about privacy and security compliance and data breach response, please contact: