On May 10, 2017, the US Department of Health & Human Services (HHS) announced a settlement with Texas-based Memorial Hermann Health System (MHHS) for $2.4 million due to MHHS’s unauthorized disclosure of patient protected health information (PHI). HHS also announced that HHS and MHHS entered into a Resolution Agreement, and MHHS agreed to a corrective action plan.
Settlements for HIPAA violations have become more and more common. What makes this one especially noteworthy is the unique circumstance surrounding the unauthorized disclosure of PHI, which stemmed from a September 2015 incident at one of MHHS’s clinics. A patient presented to the clinic with an allegedly fraudulent identification card. The clinic reported the incident to the legal authorities, and the patient was arrested. Subsequent to the arrest, MHHS issued a press release regarding the incident and posted a statement about it on its website; senior leaders then discussed it with lawmakers and advocacy groups – allegedly disclosing the patient’s PHI in each instance.
The HHS Office for Civil Rights conducted a compliance review of MHHS and determined that while MHHS’s disclosure of the PHI to law enforcement authorities was permissible under HIPAA, the other disclosures were not. Further, MHHS had failed to timely document the sanctions it took against the individuals who impermissibly disclosed the PHI.
In addition to the $2.4 million settlement to be paid to HHS, MHHS agreed to a corrective action plan that requires MHHS to update its HIPAA policies and procedures to ensure timely and effective training of its workforce (broadly defined), to report HIPAA violations to HHS within 30 days, and MHHS must provide annual reports to HHS regarding MHHS’s compliance with the corrective action plan.
This case illustrates the care and attention that providers must pay to the methods and uses of any PHI in all circumstances. Although internal HIPAA training and enforcement is required for the entire workforce, it often centers around those who deal with PHI the most, such as care providers and billers. Clearly, this is not enough. As the MHHS example highlights, senior executives, administrators, and even media relations personnel all need to be sufficiently and regularly educated about the covered entity’s HIPAA obligations and their own obligations not to inappropriately disclose PHI.