HHS OCR: Henrico Sen. Dunnavant’s political letter to patients broke health privacy rules, but no sanctions needed
There’s a follow-up to an HHS OCR investigation that I had noted back in October, 2015. And since we don’t see many OCR investigations reported like this one, it’s worth noting. Politicians who are also HIPAA-covered entities, in particular, may wish to take note.
Graham Moomaw reports:
State Sen. Siobhan S. Dunnavant, a Henrico County physician, broke federal health privacy rules by sending a political solicitation to her patients during her 2015 campaign, according to a letter from the U.S. Department of Health and Human Services’ civil rights office.
Dunnavant’s decision to share patient contact information with her Senate campaign and its direct-mail business was “impermissible” under federal HIPAA law, HHS investigators wrote in a letter last month informing Dunnavant and her attorney that the case was being closed.
The first-term Republican won’t face fines or other penalties, HHS said, because Dunnavant took “immediate action” to minimize the damage.
It appears that the senator made effort to comply with HIPAA, even going so far as to establish a “business associate” arrangement with her campaign. HHS apparently rejected that arrangement, though:
“Dr. Dunnavant’s position that the disclosure and use of (protected health information) to and by the campaign committee was strictly related to treatment or health care operations is not supported by the evidence,” Barbara J. Holland, the mid-Atlantic regional manager for the HHS Office of Civil Rights, wrote in a letter dated Dec. 6. “The letter expressly encouraged patients to participate in campaign activities and invited patients to contact the campaign for additional information.”
Read more on Richmond Times-Dispatch. The take-home message should be clear, though: you cannot use a BA arrangement to do an end-run against using patient data for political campaign purposes.
Great thanks to the reader who sent this in.