Small Breaches Can Be Subject to Large Penalties Small Breaches Can Be Subject to Large Penalties

Small Breaches Can Be Subject to Large Penalties 

Stanley Nachimson

This auditing and compliance “Tip of the Week” was originally published by the National Alliance for Medical Auditing Specialists (NAMAS), a division of DoctorsManagement.

Small Breaches Can Be Subject to Large Penalties 


We may have heard about the large fines issued by the Office for Civil Rights (OCR) against big organizations like Anthem or the University of Texas MD Anderson Cancer Center. These organizations have been in the news due to privacy breaches that constituted violations of the HIPAA privacy rule. However, a recent incident reminds us that even small physician offices have fines issued by OCR for violations. For small practices, the sums involved for these fines can be considerable.


Allergy Associates of Hartford is a relatively small practice; consisting of three doctors and four offices in Connecticut. This practice recently agreed to a $125,000 settlement with OCR because of a privacy violation. The HHS statement provides an example of what not to do and what the consequences can be. A brief summary of the statement, available on the HHS website here, follows.


In February 2015, an Allergy Associates patient contacted one of the local television stations to speak about a dispute between that patient and an Allergy Associates doctor. The reporter from the station followed up with the doctor, who proceeded to impermissibly disclose protected health information about the patient.


OCR investigated this situation and found that the doctor’s discussion with the reporter demonstrated “a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or to respond with no comment.” To further complicate the situation, no disciplinary action was taken against the doctor nor was there any corrective action taken following the impermissible disclosure.


The fines and publicity around this event are not meant to scare practices. It provides an opportunity for all of us working in practices to learn what not to do, and what to do, in complying with the HIPAA Privacy (and Security) rules.


What should physician practices do as a result of this incident and the OCR response? First, providers must always be diligent in protecting patient privacy in all communications, at the office or elsewhere. The HIPAA rules about privacy apply to all types of information, whether electronic, written, or spoken. Second, the OCR takes violations of the privacy rules seriously, no matter what the size of the organization. Finally, all organizations must have a disciplinary policy in place for privacy breaches. Employees should be well aware of this policy, and it must be followed when breaches occur.


Any size of practice must follow the requirements of the Privacy Rule. This includes having a designated privacy officer, a written set of policy policies and procedures, and periodic training sessions for all employees. All of these efforts can be used to reduce, and hopefully eliminate, the possibility of a privacy breach.


Besides having to pay the $125,000, Allergy Associates will have to undertake a corrective action plan that includes two years of having the OCR monitor their HIPAA compliance. This was a further burden on the practice that could have been avoided.


Remember that the OCR does not need to wait for a patient complaint to initiate a HIPAA violation investigation. They can start investigations based on newspaper articles or television segments, Internet articles, Facebook posts, or other types of evidence.



This Week’s Audit Tip Written By:

Stanley Nachimson

Stanley Nachimson is principal of Nachimson Advisors, a health IT consulting firm dedicated to finding innovative uses for health information technology and encouraging its adoption.

What to do next…

  1. Contact us to discuss your audit needs by calling (800) 635-4040 or email
  2. Read more: What can you expect from a coding and compliance review?
Here’s why thousands of providers trust DoctorsManagement to help improve their coding and documentation.

Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credential.

Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.

Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.