$2.4 Million HIPAA Fine for Memorial Hermann Health System

A $2.4y m settlement has been agreed by Memorial Hermann Health System with the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential HIPAA Privacy Rule violations  The settlement arises from an impermissible disclosure on an official press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system located in Southeast Texas, providing service to patients in the Greater Houston area. In September, a patient attended a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by staff of the hospital and the police were notified leading to the patient being arrested. The hospital advised the police of the name of the patient, which is allowable under HIPAA Rules.

However, the MHHS issued a press release about the incident but including the patients name in the title of the press release – a action in direct violation of the HIPAA Privacy Rule. The press release was reviewed and signed off on before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of privacy.

The incident was reported by media outlets and a complaint was filed with OCR, leading to an investigation which revealed that the press release had been distributed to 15 media outlets. On three separate occasions following the issuing of the press release, the patient’s identity was made public in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also released on the MHHS website.

These unauthorized disclosures, which happened between September 15 and October 1, 2015 constituted a knowing and intentional failure to protect the PHI of the patient. MHHS was also found to have failed to document the sanctions imposed against the members of staff who were not in compliance with the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the large payment to OCR, Memorial Hermann Health System must adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent future impermissible disclosures of PHI. All MHHS facilities must also show that they comprehend the allowable disclosures and uses of PHI.

This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

This is the eighth HIPAA settlement to be made public by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year for penalties issued.