Healthcare Information Security

HIPAA and Compliance News

Allergy Associates Settles with OCR for $125K over HIPAA Violation

The Connecticut-based specialist impermissibly disclosed a patient’s protected health information to a reporter with a “reckless disregard for the patient’s privacy rights.”

HHS OCR HIPAA Violation, Patient Data breach settlement

By Jessica Davis

- Connecticut-based Allergy Associates of Hartford settled with the Office for Civil Rights for $125,000, for a 2015 incident involving impermissible disclosure of a patient’s protected health information to a reporter.

In February 2015, an Allergy Associates patient contacted a local news station to discuss a dispute between the patient and a provider. Allegedly, Allergy Associates turned the patient away because of their use of a service animal.

When the reporter contacted the doctor for a comment, they impermissibly disclosed the patient’s data to the news station.

The Department of Justice sent OCR a civil rights complaint on Oct. 6, 2015 in response. OCR launched an investigation into Allergy Associates in collaboration with DOJ.

OCR found the doctor “demonstrated a reckless disregard for the patient’s privacy rights.” Further, the provider disclosed the patient’s information after he was instructed by an Allergy Associate’s privacy officer to not respond to the reporter or say, “No comment.”

Not only did the doctor receive no disciplinary action for the event, Allergy Associates failed to take any corrective action following the impermissible disclosure.

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” OCR Director Roger Severino said in a statement. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

Along with the monetary settlement, Allergy Associates agreed to a corrective action plan. Under the agreement, the specialist must develop, maintain and revise written privacy policies and procedures around patient data and provide them to the Department of Health and Human Services within 60 days.

Any recommended changes from HHS will need to be implemented by Allergy Associates within 30 days of receipt. All workforce members must be given the update policies and sign a compliance certification stating they will follow those rules.

The rules should include permissible and impermissible disclosures of PHI, especially around media disclosures. Further, Allergy Associates must address administrative, physical and technical safeguards around PHI use and disclosure, along with how the specialist intends to sanction employees who fail to meet these guidelines. The privacy rules must be reviewed annually and revised as needed.

Allergy Associates must also train workforce around these rules within 60 days, and employees must sign a form attesting they’ve received training. And within 120, Allergy Associates must provide an update on implementing these guidelines and training to HHS.

Allergy Associates is just the latest to settle with OCR over media disclosures. In September, several Boston hospitals settled with OCR for almost $1 million for unauthorized disclosure of PHI, for allowing an ABC television crew to film patients without obtaining authorization.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...