The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $2,400,000 settlement with Memorial Hermann Health System (“MHHS”) to resolve an investigation of an unauthorized disclosure of protected health information (“PHI”) as a potential violation of the Privacy Rule of the Health Insurance Portability and Accountability Act (“HIPAA”). In addition to payment of the settlement, MHHS agreed to enter into a Corrective Action Plan with provisions for training and documenting compliance efforts.

MHHS is the largest not-for-profit health system in southeast Texas, consisting of 13 hospitals, 8 cancer centers, 3 heart and vascular institutes and 27 sports medicine and rehabilitation centers, and employs approximately 24,000 people.

In September 2015, a patient at one of MHHS’s clinics presented an allegedly fraudulent identification card to office staff. The staff person alerted appropriate authorities and the patient was arrested. So far, there was no violation of HIPAA because the staff person was disclosing PHI in furtherance of permissible law enforcement efforts.

Where things began to go awry for MHHS was the initial publication of a press release identifying the patient by name in the title of the release, which was issued to fifteen media outlets and/or reporters. MHHS further compounded its error by disclosing the patient’s name during three meetings with an advocacy group, state representatives, and a state senator. To make matters worse, MHHS then disclosed the patient’s name in a statement on MHHS’s website.

None of these disclosures were authorized by the patient, and MHHS senior leadership was involved. Further, MHHS failed to document any sanctions imposed against its violators. These factors may explain why the OCR required a particularly high settlement amount.

Lessons learned: (1) disclosure of PHI for law enforcement purposes does not include identification of the alleged criminal to other parties; (2) HIPAA training is important for all employees, not just medical providers and treaters and administration who deal more directly with patients; (3) sanctions against offending employees must be promptly implemented and documented.