Health system pays $2.4M for disclosing name of patient in press release
Today, the Department of Health and Human Services Office for Civil Rights (OCR) announced a HIPAA settlement with a large Texas health system, Memorial Hermann Health System (MHHS), for disclosing the name of a patient who presented an allegedly fraudulent identification card at one of MHHS’ clinics. MHHS agreed to pay $2.4 million and enter into a corrective action plan.
MHHS office staff immediately reported the 2015 incident to law enforcement authorities who arrested the patient. MHHS included the patient’s name in the title of press releases and identified the patient on the MHHS website. MHHS senior leaders approved the inclusion of the patient’s name in the press releases and also identified the patient in three meetings with an advocacy group and elected officials.
OCR’s press release noted that the disclosure to law enforcement was permitted under the HIPAA Rules, but that the disclosure of the patient’s name in the press releases without authorization from the patient was not permitted under the Privacy Rule. OCR also determined that MHHS violated the Privacy Rule by failing to document timely sanctions against its workforce members who disclosed the patient’s information.
OCR Director Roger Severino observed in the press release that “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” and that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
The press release, resolution agreement and corrective action plan are available here.
MHHS office staff immediately reported the 2015 incident to law enforcement authorities who arrested the patient. MHHS included the patient’s name in the title of press releases and identified the patient on the MHHS website. MHHS senior leaders approved the inclusion of the patient’s name in the press releases and also identified the patient in three meetings with an advocacy group and elected officials.
OCR’s press release noted that the disclosure to law enforcement was permitted under the HIPAA Rules, but that the disclosure of the patient’s name in the press releases without authorization from the patient was not permitted under the Privacy Rule. OCR also determined that MHHS violated the Privacy Rule by failing to document timely sanctions against its workforce members who disclosed the patient’s information.
OCR Director Roger Severino observed in the press release that “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” and that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
The press release, resolution agreement and corrective action plan are available here.
