A not-for-profit health care system recently agreed to pay the Department of Health and Human Services (HHS) $2.4 million as part of a settlement over potential Health Insurance Portability and Accountability Act (HIPAA) violations. The incident at issue involved the system releasing a patient’s name to the press, consumer advocacy groups, and politicians following a highly-publicized event at a clinic. The lesson: covered entities and business associates should educate their public relations staff and leadership about what qualifies as “protected health information” (PHI) and that PHI may be disclosed only as permitted by HIPAA, regardless of whether the information is already known publicly.

(Not a) Routine Check-In

The HIPAA settlement concerned the alleged disclosure of one patient’s identity without her consent. According to various published reports, the patient in question checked in for a follow-up visit with her OB/GYN. After a staffer escorted her to an exam room, a waiting police officer handcuffed her and brought her to the county jail. The issue? A falsified driver’s license and other false identification.

During check-in, a clinic staff member thought the patient’s driver’s license looked suspicious. The office called the licensing bureau of the Texas Department of Public Safety (DPS), which instructed the office to contact local law enforcement. After confirming the false license number, local law enforcement decided to arrest the patient. The clinic complied with HIPAA up to this point: HIPAA’s privacy rule allows providers to report PHI —which would include driver's license information—if it is believed to be evidence of a crime that occurred on the entity’s premises.

But the arrest sparked protests and criticism. The patient was an undocumented immigrant, but she had health insurance under her husband’s private plan. Her crying, eight-year-old US-born daughter witnessed the arrest. Immigrant advocates questioned whether the arrest would have a chilling effect on other undocumented immigrants seeking medical care.

What Went Wrong under HIPAA The health care system responded to its critics with a press release, calling the incident “unfortunate” and citing “quality and safety reasons” for the procedure that led to calling the DPS. The press release also named the patient.

About two-months later, HHS initiated a compliance review of the health care system based on multiple media reports indicating it disclosed the patient's PHI to the media and various public officials without the patient’s authorization. According to the resolution agreement, the health system appeared to be responsible for the following:

  1. Knowingly and intentionally failing to safeguard PHI in its possession.
  2. Impermissibly disclosing the patient’s PHI through press releases, meetings with an advocacy group, state representatives, and a state senator, and by posting a statement on its website.
  3. Failure to document the sanctions it imposed on employees who failed to comply with the system’s privacy policy and HIPAA.

Key Takeaways This case provides the following HIPAA compliance lessons:

  • If you think it might be PHI, it probably is: train your staff – including those in public affairs, government relations, and leadership – that HHS can interpret PHI broadly to include any information that identifies someone as a patient. When in doubt, leave the information out.
  • Public knowledge is no excuse: Even if someone (such as the media) knows an individual was a patient, a provider cannot release additional PHI or even confirm that the individual was a patient without a valid basis under HIPAA.
  • HIPAA protects everyone: HIPAA protects every patient’s PHI regardless of immigration status or potentially criminal acts, even if the act was committed on the covered entity’s premises.
  • Follow-up is critical: The failure to take disciplinary action against personnel who did not follow policy may have accounted for a significant portion of the settlement amount (possibly more than the disclosures themselves). This highlights the importance of applying some sort of sanction any time there is a potential HIPAA violation. This can be retraining or a warning, so long as consistent with your sanctions policy.