Memorial Hermann Health System (MHHS), a Texas-based health system, violated the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule when it released the name of a patient to various media outlets, after the undocumented immigrant presented a false driver’s license at an MHHS facility and MHHS contacted law enforcement. The HHS Office for Civil Rights (OCR) emphasized that the disclosure to law enforcement was lawful, but that opined that "senior management should have known" that inclusion in a press release was a "clear HIPAAPrivacy violation." Although MHHS did not admit liability, it entered into a resolution agreement with the OCR, agreed to pay $2.4 million, and entered into a two-year corrective action plan (CAP) (Resolution agreement, May 10, 2017).
The OCR initiated review of the incident based on multiple media reports. It determined that MHHS released the patient’s name to 15 media outlets and/or reporters in the course of four days without the patient’s written consent, and that senior leaders released the names to an advocacy group, state representatives, and a state senator over the course of three meetings.
As part of the CAP, MHHS must develop, maintain, and revise written policies and procedures addressing uses and disclosure of protected health information (PHI), including releases to the media and law enforcement, identification of personnel or representatives to whom stakeholders may turn with privacy questions, internal reporting procedures, and the application and documentation of appropriate sanctions. It must distribute such policies and procedures to all workforce members and provide training. MHHS must notify the OCR of reportable events. Failure to comply with the terms of the CAP may result in the imposition of civil monetary penalties (CMPs).
Companies: Memorial Hermann Health System
MainStory: TopStory CMPNews ConfidentialityNews EnforcementNews HIPAANews