publications full of ideas

Physician TV Interview Incurs $125,000 HIPAA Fine


No human instinct is as ingrained as the desire to defend oneself against unjust criticism. But that instinct must be tamed where personal health information is involved. A Connecticut medical practice has just learned that lesson — and at significant cost.

The incident began when the practice turned away a patient with a service animal. The aggrieved patient went to the media with her story. A local TV station took up her cause. A reporter sought comment from the practice. The practice Privacy Officer recommended that no comment be offered.

Ignoring this recommendation, one of the practice's physicians elected to speak to the reporter. During the conversation, the physician allegedly disclosed some of the patient’s protected health information. The patient complained to the Justice Department, which referred the matter to OCR. OCR launched an investigation that concluded that the practice had impermissibly disclosed personal health information in violation of the HIPAA Privacy Rule—45 C.F.R. § 164.502(a). The investigation also determined that the practice had failed to undertake any corrective action against the physician.

The practice agreed to settle with no admission of liability. Together with paying the fine, it agreed to implement a stringent correction plan to verify HIPAA compliance. The episode underscores the perils of a quick-draw response to hostile media or patient queries. Even if a patient publicly (and perhaps even unjustly) criticizes the physician or covered entity, OCR may interpret HIPAA to require the latter parties to hold their peace.

At a minimum, the covered entity must tread very carefully. If a covered entity feels compelled to address public allegations, it must do so while conforming to HIPAA requirements. As always, when in doubt, consult with counsel.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or Mike may be reached at 919.783.2851 or

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

2019 Charlotte Employment Seminar: Navigating Risks in the Workplace


Wednesday, May 15th at 2 P.M. Join us as we discuss the impact of #metoo and managing risks in retirement plans.

Employee Benefits Day Webinar: Executive Compensation


Attracting and retaining executives and key employees is critical to an organization's success. As a result, offers of employment often come with special perks and promises. These additional benefits are essential in attracting the executive, but can create unintended liabilities. This session will identify common issues associated with executive compensation arrangements, discuss the potential liability, and provide practical tips to allow you to spot potential issues before they become liabilities.

Poyner Spruill’s First Ever NCAA Tournament Party


This year we will be hosting our first annual NCAA Party!

Mayo named Client Choice Award winner in North Carolina


RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield


How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.