Inappropriate Disclosure of a Single Patient Name Results in $2.4 Million HIPAA Settlement
Texas’ Memorial Hermann Health System (MHHS) paid $2.4 million to the U.S. Department of Health and Human Services (HHS) and entered into a corrective action plan (CAP) to resolve allegations related to the impermissible disclosure of one patient’s name to multiple parties over a two-week period without having a HIPAA authorization from the patient. The MHHS resolution is an example of the significant consequences that can arise from an inappropriate disclosure of protected health information (PHI), even when only one individual is affected.
According to the HHS Resolution Agreement, MHHS is the largest not-for-profit health system in southeast Texas and includes 13 hospitals, cancer centers, heart and vascular institutes, and has approximately 24,000 employees.
HHS’ Office for Civil Rights (OCR) began its investigation of MHHS following media reports that MHHS disclosed a patient’s PHI without a HIPAA authorization. The situation arose when a patient of one of the MHHS clinics presented an allegedly false identification card to the office staff. MHHS staff alerted law enforcement who arrested the patient. HHS concurred that the disclosure of this patient’s PHI to law enforcement was permitted under HIPAA.
Thereafter, for reasons not described in HHS’ press release or the Resolution Agreement, MHHS also disclosed this patient’s identity in the title of a press release sent to multiple media outlets, on the MHHS web site, to an advocacy group, and to local elected officials. In addition to making these disclosures without the patient’s HIPAA authorization, HHS stated in the Resolution Agreement that MHHS failed to timely document the sanctions against members of the MHHS workforce who failed to comply with HIPAA and the MHHS policies. HHS determined that these actions and omissions violated the HIPAA Privacy Rule.
As part of the $2.4 million settlement between HHS and MHHS, MHHS agreed to the following as part of the two-year CAP:
- develop and update MHHS policies and procedures for when a HIPAA authorization is required, including with respect to disclosures to the media, public officials, on the internet, and disclosures for law enforcement purposes; and
- after the policies and procedures are approved by HHS, distribute updated policies to all members of its workforce and provide training to the MHHS workforce of the policies.
MHHS did not admit any liability as part of the settlement.
HHS and OCR take seriously HIPAA’s protections for an individual’s PHI. While MHHS acted appropriately by notifying law enforcement that the individual presented false identification, it is not known from the Resolution Agreement why MHHS then issued a press release with the person’s name in the title or disclosed the individual’s name to elected officials, an advocacy group, and on MHHS’ web site. The significant amount paid by MHHS relating to this incident underscores the importance of protecting an individual’s identity from disclosure and the need to understand to whom, when and for what reasons PHI may be disclosed.
This is the fifth settlement announced by the Trump Administration. See:
- First HIPAA Settlement Involving a Wireless Health Services Provider
- Failure to Implement Business Associate Agreement Results in $31,000 Settlement For Health Care Provider
- Phishing Incident Leads to $400,000 HIPAA Settlement
- $5.5 Million HIPAA Settlement Matches Largest Payment To-Date
Saul Ewing attorneys counsel and assist covered entities and business associates with respect to HIPAA Privacy Rule and Security Rule compliance. For more information relating to Saul Ewing’s HIPAA compliance practice, please contact the authors or the Saul Ewing attorney with whom you are regularly in contact.