Memorial Hermann Health System will pay $2.4M to settle HIPAA violation

Memorial Hermann Health System will pay $2.4 million to the U.S. Department of Health and Human Services to settle a potential HIPAA violation that dates back to 2015.

The HHS Office for Civil Rights said it began to investigate the incident after media outlets suggested that the not-for-profit health system in Southeast Texas disclosed a patient’s protected health information (PHI) without an authorization.

The incident occurred in September 2015 when a patient at one of Memorial’s clinics allegedly gave a fraudulent identification card to office staff and the employee immediately alerted the police. The patient was allegedly in the U.S. illegally and was arrested. The health system subsequently published a press release about the incident and included the patient’s name in the title of the announcement.

“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

Furthermore, the system failed to timely document the sanctioning of its workforce members for failing to obtain permission to disclose the patient’s information, according to HHS.

RELATED: 4 legal takeaways from recent HIPAA settlements

The settlement also requires the system to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures, and to train its workforce members. As part of the correction action plan (PDF), all of the system’s facilities must attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

But some privacy lawyers question the amount of the fine, GovInfoSecurity reports. Adam Greene, a privacy attorney at the law firm Davis Wright Tremaine, told the publication the settlement is “suprisingly high, in light of the limited timeframe during which this occurred.” He suspects that the large size of the health system—Memorial Hermann includes 16 hospitals and specialty services in the Greater Houston area—influenced the hefty fine.

Although he also was surprised by the amount of the settlement, Kirk Nahra of the law firm Wiley Rein told GovInfoSecurity that the main takeaway "is that covered entities can't publicly disclose patient information as a general matter.”