The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
The original incident occurred in September 2015 when a patient presented a fake Texas driver’s license upon arrival for a scheduled visit at a Memorial Hermann gynecologic clinic. After the clinic staff asked for and the patient was unable to provide another form of identification, the staff called the Texas Department of Public Safety (DPS) for assistance in verifying the patient’s driver’s license. DPS told the office staff to contact local law enforcement, who determined that the identification card was fraudulent and decided to arrest the patient during her visit to the clinic.
After the incident became public, Memorial Hermann came under attack by immigration activists because the patient was undocumented. However, as OCR pointed out in its press release, Memorial Hermann’s disclosure of the patient’s name and other identifying information to law enforcement was permissible under HIPAA’s Privacy Rule.
The HIPAA violation occurred after the incident, when Memorial Hermann used the patient’s name in the title of a press release about the incident. The settlement stems from Memorial Hermann’s unauthorized disclosure of the patient’s name in the press release, which had been approved by senior management, and its failure to timely document the sanctioning of relevant employees for disclosing the patient’s name.
As we’ve previously discussed on the blog, entities covered by HIPAA must train their workforce and develop policies and procedures on permissible uses and disclosures of protected health information (PHI). This settlement highlights the need for such training and policies and procedures with respect to disclosures of PHI to the media and law enforcement in particular. Entities covered by HIPAA should ensure that their workforce understands when disclosures to law enforcement are permissible but that permissible disclosures to law enforcement do not allow the entity to use or disclosure PHI in an otherwise impermissible manner. Furthermore, such entities should have policies in place that prohibit anyone from providing comments about patient matters to the media unless such comments have been reviewed and approved by the Privacy Officer or another individual in charge of HIPAA-related matters.