The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a May 10, 2017 press release stating that Memorial Herman Health System, a Texas-based not-for-profit health system (“MHHS”), agreed to pay $2.4M and enter into a two year corrective action plan (“CAP”) to settle potential HIPAA violations for alleged disclosure of protected health information (“PHI”) without the patient’s authorization. The CAP requires MMHS, among other things, to submit an implementation report and an annual report to HHS on MHHS’ compliance with the CAP.
According to the press release, in September 2015, a patient at one of MHHS’ clinics attempted to use an allegedly fraudulent identification card. MHHS staff immediately alerted appropriate authorities of the incident, and the patient was arrested. According to the resolution agreement, between September 15, 2015, and September 19, 2015, MHHS impermissibly disclosed the patient's PHI through press releases issued to 15 media outlets and/or reporters. MHHS' senior leaders further disclosed the patient's PHI during 3 meetings with an advocacy group, state representatives, and a state senator. MHHS also disclosed the patient's PHI in a statement on its website, without obtaining the patient's written authorization. OCR further concluded that MHHS “failed to timely document the sanctioning of its workforce members” for the violations.
“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
This enforcement action is a reminder that even though disclosure of PHI is permitted under the HIPAA Rules (in this case for law enforcement purposes), a permitted disclosure allowed for one purpose does not necessarily mean you can disclose that same PHI for another purpose or that other restrictions do not apply.