HIPAA Settlement Reminds Practices to Avoid Public Response to Patient Complaints
December 18th, 2018
Physicians and practices know that HIPAA prohibits them from publicly sharing patient information without first obtaining a valid authorization. But the temptation to share this information can feel hard to resist, especially when face with negative public comments about care provided. A recent HIPAA settlement reinforces the need for physicians and practices to exercise restraint when publicly addressing patient care and make sure that their response is compliant with privacy laws.
The HHS Office for Civil Rights (OCR) on Nov. 26 announced a settlement with Allergy Associates of Hartford, a three-physician practice with four locations across Connecticut. The practice paid $125,000 to settle a doctor’s disclosure of patient information to a reporter.
The events leading to the settlement began in Feb. 2015, when an Allergy Associates patient contacted a local television station about a dispute with her physician. The patient alleged that she was turned away from the practice because of her use of a service animal. When contacted by a reporter from the television station for comment, the physician disclosed protected information about the patient. The doctor made these comments to the reporter after the Privacy Officer for Allergy Associates had instructed the physician to either refuse to respond or reply with “no comment.” After the conversation between the reporter and the physician, Allergy Associates took no disciplinary or corrective action against the doctor.
In OCR’s press release, OCR Director Roger Severino said, “When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media.” This warning remains applicable whether the patient complains to a reporter, contacts the Better Business Bureau, or posts a grievance on a public website such as Yelp. Regardless of motivation, physicians and practices cannot disclose patient information to defend themselves without valid HIPAA authorization, even if the patient has publicly discussed the same information. If a practice discovers that any member of its staff has violated this requirement, they need to impose appropriate disciplinary action.
Medical practices must confirm that their responses to public patient complaints comply with all HIPAA requirements. As a rule, these issues should be handled privately, and doctors should not engage in any public debate on these issues. We recommend that practices take the following steps in response to these types of complaints and any related inquiries:
- Give only generic responses that do not relate to the specific patient or complaint. Physicians should neither confirm nor deny that a patient has been seen or treated at the practice. There should be no statement addressing the concern raised by the patient. In most cases, a response of “no comment” or “We do not comment on patient issues” is sufficient. In some cases, such as in response to an inquiry from the Better Business Bureau (where a failure to respond may be held against the practice), a slightly longer response may be necessary. An example of an effective and HIPAA-compliant response under these circumstances could be, “Thank you for the information regarding [name (if given)]. We take pride in delivering excellent care to our patients. If a patient is unhappy with the care or treatment they have received, we welcome the opportunity to discuss these concerns directly with the patient.”
- Contact the patient directly. In many instances, the identity of the patient making the complaint about the practice will be disclosed. When this is the case, practices should attempt to contact him or her directly. If the patient can be reached, the practice representative should focus on listening, being empathetic, and trying to resolve the concern. Practices should document all communications with patients, including the issues discussed and any resolution reached.
Medical Mutual members should consider consulting an attorney or reaching out to their insurance representative for assistance with identifying appropriate ways to respond to public complaints.
Disclaimer: This post is written in general terms and is not a substitute for legal advice or intended to create an attorney-client relationship.
Sam Cohen is Medical Mutual’s Senior Vice President of Health Policy. Medical Mutual members may contact him directly at email@example.com and 919.878.7602. Readers also can follow him on Twitter @samuel_c_cohen.