A Texas health system paid $2.4 million to settle allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA) by disclosing protected health information (PHI) in a press release.
The statement from Memorial Hermann Health System (MHHS) involved an incident in which a patient was arrested for allegedly presenting false identification. The U.S. Department of Health and Human Services (HHS) apparently did not fault MHHS’ handling of the incident or its disclosure of PHI to law enforcement.
When MHHS named the patient in the subsequent release, however, it violated HIPAA’s prohibition on disclosing individual PHI without an authorization, HHS’ Office for Civil Rights (OCR) determined. MHHS senior management approved this disclosure and repeated it in subsequent meetings with interested parties, the agency alleged.
“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said the OCR Director, Roger Severino, in a statement. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
Along with the impermissible disclosure itself, the OCR alleged that MHHS failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information.
Corrective Action Plan
In addition to the $2.4 million monetary payment, the settlement includes a 2-year corrective action plan (CAP). MHHS has to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures, including internal reporting of possible violations and imposition of disciplinary sanctions where appropriate. Once HHS approves the revised policies and procedures, MHHS must train its workforce members accordingly and have them certify completion as a condition of PHI access.
The CAP also requires MHHS to report any violations of the policies and procedures to HHS within 30 days, and submit initial and annual “implementation reports” attesting to compliance with the agreement at all locations.