OCR reaches $125,000 settlement with allergy practice over PHI disclosure

The Office for Civil Rights (OCR) reached a $125,000 settlement with Allergy Associates of Hartford, P.C., in Hartford, Connecticut, after a HIPAA breach where a doctor disclosed a patient’s protected health information (PHI) to a local television reporter.  

According to the agency’s statement released on November 26, the incident occurred in February 2015 when a patient of Allergy Associates contacted a local television station to speak about a dispute that occurred with an Allergy Associates’ doctor. The reporter from the station contacted the doctor, and the breach occurred during that conversation.

OCR’s investigation found that the doctor’s discussion with the reporter was a case of reckless disregard for the patient’s privacy. OCR also determined the doctor had been previously instructed by a privacy officer at Allergy Associates to not respond to the media or to respond with “no comment.” Additionally, Allergy Associates did not take any disciplinary or corrective action following the disclosure.

In addition to the fine, Allergy Associates will adopt a corrective action plan and be subject to two years of monitoring their HIPAA compliance. You can read the resolution agreement here.

Allergy Associates is a healthcare practice comprised of three doctors at four locations across Connecticut. HIPAA requires that covered entities (CE) report breaches affecting more than 500 individuals to prominent media outlets that serve the state or jurisdiction where the breach occurred, but this incident serves as a reminder to all CEs that small practices and small breaches can also be subject to large penalties.