Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
USA: OCR announces $30,000 settlement with Manasa Health Center relating to potential violations of the HIPAA Privacy Rule
On June 5, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had reached a settlement with Manasa Health Center, LLC. The settlement requires Manasa to pay the OCR $30,000 and to undertake a Corrective Action Plan (CAP). These penalties settle a potential violation of the Code of Federal Regulations (C.F.R.) in accordance with the Health Insurance Portability and Accountability Act Privacy and Security Rules (HIPAA Rules), following the submission of a complaint to the OCR.
Background to the case
In particular, the OCR explained that it had opened an investigation in response to a complaint it received, which alleged that Manasa unlawfully disclosed the protected health information (PHI) of a patient when Manasa posted a response to that patient's negative online review that included specific information regarding the individual's diagnosis and treatment of their mental health condition.
Findings of the OCR
Based on the investigation carried out, the OCR noted that:
Manasa impermissibly disclosed the PHI of four patients in response to their negative reviews posted on the Internet, in potential violation of §164.502(a) of Title 45 of the C.F.R.; and
Manasa failed to implement policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of the Privacy and Breach Notification Rules, in potential violation of §164.530(i) of Title 45 of the C.F.R..
Outcomes
The OCR noted that Manasa agreed to pay $30,000 as a resolution amount for the settlement, but that the agreement is not an admission of liability or concession by the HHS that Manasa is not in violation of the HIPAA Rules and not liable for civil monetary penalties.
Moreover, in line with the CAP, Manasa committed to:
develop, maintain, and revise its written policies and procedures to comply with the HIPAA Rules;
train all members of its workforce, including owners and managers, on the organization's policies and procedures to comply with the HIPAA Rules;
issue, within 30 calendar days of the agreement, breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without valid authorization; and
submit, within 30 calendar days of the agreement, a breach report to the HHS concerning individuals whose PHI is disclosed on any internet platform without valid authorization.
You can read the press release here and the resolution agreement and CAP here.