Here's a great reminder, unfortunately at the $125,000 expense of Allergy Associates of Hartford, that a patient can talk about their medical care online (e.g. Yelp!, etc.) or in person (e.g. a news reporter, etc.) but Covered Entities and Business Associates cannot.
OCR has settled a corrective action plan with Allergy Associates after a doctor at this practice was contacted in 2015 by a news reporter, following a patient contacting the news station to report a dispute, who confirmed details of the patient's care. Notably, OCR also reports that the practice's HIPAA Privacy Officer had already instructed the doctor to reply with "no comment" if contacted and that the practice failed to administer any corrective action following the protected health information unauthorized disclosure event. The corrective action plan includes the practice demonstrating compliance with the HIPAA Rules for two years.
Not many practices or hospitals can easily absorb a $125K unplanned expense. We're sure this practice also paid their lawyers quite a bit to help navigate and settle this case. Give our office a call if you need help educating your providers, or understanding compliance and risk.