A Connecticut physician group recently agreed to pay $125,000 to settle a claim of “reckless disregard” for a patient’s privacy rights. The group contacted the local television station to give a statement about a dispute between its patient and one of its doctors. A reporter contacted the doctor, who “impermissibly disclosed the patient’s protected health information.” The Office of Civil Rights investigated and concluded that the doctor had shown “reckless disregard” after the doctor was instructed by the group’s privacy officer to respond with “no comment.” The group failed to discipline the doctor or take corrective action.
Take-home: while a patient has an unfettered right to disclose their private health information in public and to the media, a covered entity does not. There is no “media exception” to the Privacy Rule.
To read the report and corrective action plan, please click here.
On October 22, 2016, the FTC issued new guidance to all those subject to the HIPAA Privacy Rule, including “downstream” business associates. “Once you’ve drafted a HIPAA authorization, you can’t forget the FTC Act,” which prohibits deceptive or unfair acts or practices affecting commerce. According to the FTC, this includes the duty to avoid misleading others about what is happening with their health information. “Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.” The FTC includes a “.com Disclosures report” for guidance on creating effective privacy practices disclosures. The FTC warns against inconsistent language in privacy practices disclosures and contradictions regarding when information may be displayed publicly.
Please click this link for more information: https://www.ftc.gov/system/files/documents/plain-language/pdf-0219_sharing-health-info-hipaa-ftcact.pdf
You can’t make this stuff up.
On December 19, 2015, Radiology Regional Center, an outpatient diagnostic facility, sent paper records of 480,000 to the incinerator for disposal. Apparently, the driver of the truck failed to lock the storage department door adequately before leaving. Along the way, the door opened and the patient records fell out of the truck. According to news sources, employees and physicians of Radiology Regional attempted to gather up all of the records. The employees returned to the scene two more times to look for any remaining records. Although it was believed the staff recovered all of the records, Radiology Regional notified 480,000 patients of the breach. In remediation, Radiology Regional moved its records disposal business to a different contractor.
Although the focus of most news reports is on electronic data privacy, this story is a good reminder of the importance of maintaining the privacy of tangible items as well. Visit our web page for more information about how we can help you.
For more information on Copeland, Stair, Kingma & Lovell’s Health Law & Regulation Update Blog, please click here.