Buffalo Medical Group Patients Notified of Alleged HIPAA Violation

When a HIPAA violation occurs, the covered entity is required to notify patients that their protected health information has been exposed. However, in a bizarre turn of events, a number of patients of the Buffalo Medical Group have received breach notification letters that have been sent without Buffalo Medical Group’s knowledge.

The letters have been printed on the Buffalo Medical Group’s letterhead, and details the physicians employed in the Department of Dermatology have also been included in the letter.

Patients have been advised that a member of staff has disclosed their names and details of medical conditions to a new boyfriend. The member of staff concerned is named in the letter, and it is claimed that the HIPAA violations took place in the office, starting around August 2015. Confidential data was allegedly disclosed over the staff member’s cell phone within earshot of other workers.

After the relationship ended the ex-boyfriend is alleged to have contacted Buffalo Medical Group by letter explaining that HIPAA violations had occurred. No response was allegedly received, prompting a second letter to be sent, this time including details of the patients who had their privacy violated. No action appears to have been taken by Buffalo Medical Group.

The letter explains that three members of staff have taken it upon themselves to highlight the privacy violation and notify all patients concerned by mail.

It is not clear whether this letter was actually sent by Buffalo Medical Group employees, whether this is another attempt by the ex-boyfriend to highlight HIPAA violations, or if the letter is actually a hoax.

Buffalo Medical Group is aware of the letter, having also received a copy, and is currently conducting an internal investigation to determine if the content of the letter is credible and whether HIPAA violations have occurred. Appropriate action will be taken based on the outcome of that investigation.

According to a statement released by Buffalo Medical Group, “We have reason to believe that this letter did not come our staff.”

Rather than use the correct acronym for the Health Insurance Portability and Accountability Act – HIPAA – the author of the letter uses the acronym “HIPPA”. This suggests that the letter may be a hoax or has not come from BMG staff. Healthcare employees should be aware of the correct acronym to use.

Filing a Complaint About a HIPAA Violation

There is a protocol to follow if a HIPAA violation is believed to have occurred. The matter should be brought to the attention of the chief privacy officer or a supervisor, and if no action appears to have been taken the matter can be escalated by filing a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR). Anyone can file a complaint with OCR if they believe the privacy of a patient has been violated.

UPDATE: May 4, 2016: Buffalo Medical Group has completed its internal investigation and has determined the allegations in the letter to be false.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.