Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: OCR announces $30,000 settlement with Manasa Health Center relating to potential violations of the HIPAA Privacy Rule

On June 5, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had reached a settlement with Manasa Health Center, LLC. The settlement requires Manasa to pay the OCR $30,000 and to undertake a Corrective Action Plan (CAP). These penalties settle a potential violation of the Code of Federal Regulations (C.F.R.) in accordance with the Health Insurance Portability and Accountability Act Privacy and Security Rules (HIPAA Rules), following the submission of a complaint to the OCR.

Background to the case

In particular, the OCR explained that it had opened an investigation in response to a complaint it received, which alleged that Manasa unlawfully disclosed the protected health information (PHI) of a patient when Manasa posted a response to that patient's negative online review that included specific information regarding the individual's diagnosis and treatment of their mental health condition.

Findings of the OCR

Based on the investigation carried out, the OCR noted that:

  • Manasa impermissibly disclosed the PHI of four patients in response to their negative reviews posted on the Internet, in potential violation of §164.502(a) of Title 45 of the C.F.R.; and

  • Manasa failed to implement policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of the Privacy and Breach Notification Rules, in potential violation of §164.530(i) of Title 45 of the C.F.R..

Outcomes

The OCR noted that Manasa agreed to pay $30,000 as a resolution amount for the settlement, but that the agreement is not an admission of liability or concession by the HHS that Manasa is not in violation of the HIPAA Rules and not liable for civil monetary penalties.

Moreover, in line with the CAP, Manasa committed to:

  • develop, maintain, and revise its written policies and procedures to comply with the HIPAA Rules;

  • train all members of its workforce, including owners and managers, on the organization's policies and procedures to comply with the HIPAA Rules;

  • issue, within 30 calendar days of the agreement, breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without valid authorization; and

  • submit, within 30 calendar days of the agreement, a breach report to the HHS concerning individuals whose PHI is disclosed on any internet platform without valid authorization.

You can read the press release here and the resolution agreement and CAP here.