The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff and requiring all of the facilities in the system to “attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.”
The OCR commenced its investigation following media accounts reporting that MHHS disclosed a patient’s PHI without the patient’s authorization. The underlying facts are that in September 2015, a patient presented what appeared to be a fraudulent identification card to office staff when seeking medical care. The staff alerted law enforcement about the alleged fraudulent identification card, and the patient was arrested. According to the OCR, the disclosure to law enforcement was permitted under HIPAA. However, senior management then approved a press release about the incident, which included the patient’s name in the title of the press release. The OCR found that this was an impermissible disclosure of the patient’s PHI.
In its press release, the OCR stated “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response…This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statement to the public and elsewhere.”
This is not the first OCR fine coming from a health care entity’s release of PHI to the media. Shasta Regional Medical Center settled with the OCR in June 2013 for $275,000 when members of the senior management “intentionally” disclosed a patient’s PHI “to multiple media outlets on at least three separate occasions” without the patient’s authorization and shared details about the patient’s medical condition, diagnosis and treatment in an email to its entire workforce.
The facts of the two cases are similar, but today’s fine is a stark reminder to health care entities to be cautious when interacting with the media.