The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with a dental practice (“Practice”) which has agreed to pay $62,500 to settle potential violations of the HIPAA Privacy Rule, as well as to take corrective action after impermissibly disclosing patient PHI to a political campaign manager and a marketing company for purposes related to a state senate campaign.
The owner of the Practice ran for a state senate seat in Alabama. As part of the campaign process, the owner shared patient information, including names and addresses of almost 4,000 patients, with the owner’s election campaign manager. The campaign manager mailed letters to the patients, which were printed on campaign letterhead but addressed to the patients as “Dear Valued Patient.”
Additionally, the Practice emailed over 5,000 patients about the campaign, using a third-party marketing company. The email was signed as if it were from the Practice. The Practice shared patient names and email addresses with the third-party marketing company. This service provided by the marketing company fell outside the services arrangement the Practice had in place with the marketing company.
OCR found that two impermissible disclosures of PHI occurred. The first was the disclosure to the campaign manager and the second was the disclosure to the third-party marketing company. OCR also indicated that the Practice had not designated a privacy officer, and had not implemented policies and procedures to comply with the HIPAA Privacy and Breach Notification Rules.
As a result of this settlement, covered entities should consider the following:
- It is a common misperception that unless “medical” information is shared, individually identifiable information is not considered PHI subject to HIPAA. This is not the case. Patient information, including names or contact information that might otherwise be publicly available, when held by a covered entity such as the Practice, cannot be shared except as permitted or required by HIPAA.
- If a services arrangement with a vendor who is acting as a business associate of a covered entity does not contemplate a particular use or disclosure of PHI, then the covered entity must amend or draft a new agreement to cover the new use or disclosure of PHI. If not, the very disclosure to the business associate may be considered an impermissible disclosure under HIPAA.
- Covered entities, regardless of their size, must have policies and procedures and a competent Privacy Official to serve as a guide for ensuring that PHI is used and disclosed only in a HIPAA-compliant manner.
If you have any questions or would like additional information about this topic, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
