The Office for Civil Rights (OCR) announced a curious settlement with Memorial Hermann Health Systems (MHHS) last week after an OCR compliance review. The review found impermissible disclosure of a single patient’s PHI… leading to a $2.4 million whooper of a fine.
Who is MHHS?
Memorial Hermann Health Systems is a Houston-based, non-profit healthcare system. Their services include 16 hospitals and specialty service centers.
In September 2015, office staff at an MHHS clinic were presented a patient’s allegedly fraudulent identification card.
The staff immediately contacted law enforcement and the patient was arrested.
This disclosure of information was allowed under HIPAA’s Privacy Rule. Covered entities are permitted to disclose information to law enforcement for the purpose of aiding in an investigation.
However, a media response by MHHS subsequently disclosed the same PHI. Senior management approved this impermissible disclosure and even added the patient’s name to the headline of the press release.
Despite the previous law enforcement exception, this new impermissible disclosure qualified as a violation under HIPAA’s Privacy Rule.
OCR’s new Director Roger Severino commented, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
OCR also notes in their findings from the compliance review that MHHS failed to document the sanctioning of its workforce members for the press release incident.
The focal point of the OCR / MHHS settlement is the hefty $2.4 million penalty. Some industry experts are surprised to see such a large fine here, given the disclosure was a single piece of PHI.
A few factors might have contributed to the size of the penalty:
- The nonchalant attitude from management regarding patient privacy and PHI disclosures
- The failure to apply sanctions to staff in the aftermath of the disclosure
- The larger size of the healthcare system
The settlement also included a corrective action plan. The compliance measures on MHHS’ to-do list include:
- Updating policies and procedures on safeguarding PHI from impermissible disclosures
- Training workforce members on the policies and procedures
- Confirming their understanding of permissible disclosures of PHI, including to the media
OCR is sending the message loud and clear: Covered entities need to use proper discretion according to the Privacy Rule when disclosing patient information.
If your organization is questioning whether a use or disclosure of patient information is permissible under HIPAA, reach out and validate with our Cybersecurity team.
If you’d like assistance, send us a note and brief explanation to firstname.lastname@example.org and we’ll help guide you in the right direction.
If you’re following along with us and keeping tally, this marks the 8th HIPAA enforcement action in 2017. Those enforcement actions have netted the OCR a grand total of $17 million in penalties.
This particular data breach reminds us of a case we reported on last year. New York Presbyterian Hospital found themselves in a similar conundrum when mixing media and patient privacy. You can read that article here.