Remember when HIPAA seemed like a harmless, toothless (slobbery) infant? Those were the days! Over time, enforcement has ramped up. A recent example really brings this reality home. Memorial Hermann Health System (MHHS), a Texas health system, has entered into a $2.4 million settlement with the US Department of Health and Human Services (HHS) and has agreed to adopt a corrective action plan in relation to potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
In 2015, an MHHS patient provided staff with an allegedly false identification, which led to the patient's arrest. Following that incident, MHHS senior management approved a press release in which the patient's name was included in the title of the release (which constituted an impermissible disclosure of the patient's protected health information). In response to that very public impermissible disclosure, the Office for Civil Rights (OCR) of the Department of Health and Human Services initiated a compliance review of MHHS. During this review, the OCR discovered that MHHS had also failed to document the sanctions it imposed on the workforce members responsible for the impermissible disclosure in the press release.
The lesson of this story for providers is one that is important for HIPAA and everything else: establish viable, reliable avenues of communication within your organization! The word about HIPAA compliance must be well communicated throughout the organization. The Public Relations Department and the Human Resources Department (and everyone else) need to be trained to recognize a HIPAA question when they see one. Had anyone involved in the press release sought legal counsel, the press release would have been shut down. Your authors have joyfully (well okay, not joyfully) shut down many inappropriate press releases. A more concrete lesson is to document all HIPAA sanctions carefully and be ready to show them if the OCR comes knocking.