A three doctor Allergy and Immunology practice in Connecticut just wrote the Department of Health and Human Services Office of Civil Rights a check for $125,000.

Three Boston hospitals, Mass General, Brigham and Women’s and Boston Medical Center wrote a check for $1M.

New York Presbyterian Hospital wrote a $2.2M check.

Memorial Hermann Health System wrote the government a check for $2.4M.

What was the common thread?

They all disclosed a patient’s protected health information without the patient’s authorization. A covered entity, such as a physician’s practice or health system can disclose protected health information (PHI)under one of two conditions.

  • The patient provides his/her formal written authorization.
  • There is a statutory exception to requiring formal written authorization.

A compliant HIPAA authorization has a number of details that make it compliant. For example:

Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.

Also, you do not need a patient’s written authorization for every disclosure, as long as there is a statutory basis for the exception. For example, the broadest exceptions are known as Treatment, Payment, Operations. Within those categories, you do not need a patient’s authorization to disclose protected health information to get paid or to send information to another treating doctor to take care of your patient. These are spelled out in the HIPAA statute as explicit exceptions.

What if a patient has described their entire healthcare journey with you on their Facebook page? Can you say thanks. Or can you “correct the record?” Unless you have the patient’s authorization, the answer is no. You are forbidden from even acknowledging that person was YOUR patient. Please don’t kill the messenger. I agree it is absurd that a patient might publish every detail about their care and you must remain silent, even if the record is full of inaccuracies. It’s doubly absurd because you may not be disclosing any more than the patient already disclosed on their own. But, those are the rules.

Now back to the Allergy and Immunology practice.

In 2015, one patient contacted a local TV station stating the practice turned her away because she had a service animal. The reporter called the practice for its side of the story. That’s good journalism. But, the physician disclosed protected health information. A no no.

There’s more:

OCR’s [Office of Civil Rights] investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates’ privacy officer to either not respond to the media or respond with ‘no comment,'” HHS says in the statement.

Additionally, OCR’s investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media, the statement notes.

The $125k check the Allergy practice paid is a big number. That number stings. No pun intended.

Seven figure checks are even bigger numbers.

The health systems referenced above paid $1M and higher settlements because of TV crews on site.

In 2014 and 2015, a TV documentary called “Save My Life: Boston Trauma” neglected getting the proper authorizations.

In 2016, OCR settled with NY Presbyterian for the TV show “NY Med.” Apparently, the hospital allowed a crew to film a dying patient and another patient in significant distress, even when a medical professional urged the crew to leave.

And in 2017, Memorial Hermann Health System entered into a $2.4M settlement from 2015 disclosure of one patient’s health information to the news media with their authorization.

So, there you have it. Fines related to unauthorized disclosure of protected health information are stratospheric. PHI includes a patient’s photo. Video footage. Even acknowledging a doctor-patient relationship.

We have template authorization forms for photos, videos, testimonials, and more. Email us at if you would like access to this collection.

Most Frivolous Lawsuit Banner Long Rounded

Ten years ago, we ran a contest, encouraging doctors to reveal if they had been involved in a frivolous lawsuit. We awarded a prize to the Most Frivolous Lawsuit. Cold comfort. Still, the winner did receive a free membership for one year with Medical Justice. We are running that same contest again.

Send us a brief description of what you believe qualifies for the most frivolous lawsuit. Email us at You have to have personal knowledge of the case. Either you were a named defendant. Or you knew the named defendant.

The winner will receive a free year’s membership to Medical Justice. Determination will be made by December 14, 2018 and announced soon after via our weekly e-blast and blog.

(The usual caveat, void where prohibited by law).

May the best defendant win.

Most Frivolous Mal Practice Case CTA Button


Jeffrey Segal, MD, JD

Dr. Jeffrey Segal, Chief Executive Officer and Founder of Medical Justice, is a board-certified neurosurgeon. In the process of conceiving, funding, developing, and growing Medical Justice, Dr. Segal has established himself as one of the country’s leading authorities on medical malpractice issues, counterclaims, and internet-based assaults on reputation.

Dr. Segal holds a M.D. from Baylor College of Medicine, where he also completed a neurosurgical residency. Dr. Segal served as a Spinal Surgery Fellow at The University of South Florida Medical School. He is a member of Phi Beta Kappa as well as the AOA Medical Honor Society. Dr. Segal received his B.A. from the University of Texas and graduated with a J.D. from Concord Law School with highest honors.

If you have a medico-legal question, write to Medical Justice at