$2.4 Million HIPAA Fine for Memorial Hermann Health System

by | May 16, 2017

A $2.4y m settlement has been agreed by Memorial Hermann Health System with the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential HIPAA Privacy Rule violations  The settlement arises from an impermissible disclosure on an official press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system located in Southeast Texas, providing service to patients in the Greater Houston area. In September, a patient attended a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by staff of the hospital and the police were notified leading to the patient being arrested. The hospital advised the police of the name of the patient, which is allowable under HIPAA Rules.

However, the MHHS issued a press release about the incident but including the patients name in the title of the press release – a action in direct violation of the HIPAA Privacy Rule. The press release was reviewed and signed off on before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of privacy.

The incident was reported by media outlets and a complaint was filed with OCR, leading to an investigation which revealed that the press release had been distributed to 15 media outlets. On three separate occasions following the issuing of the press release, the patient’s identity was made public in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also released on the MHHS website.

These unauthorized disclosures, which happened between September 15 and October 1, 2015 constituted a knowing and intentional failure to protect the PHI of the patient. MHHS was also found to have failed to document the sanctions imposed against the members of staff who were not in compliance with the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the large payment to OCR, Memorial Hermann Health System must adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent future impermissible disclosures of PHI. All MHHS facilities must also show that they comprehend the allowable disclosures and uses of PHI.

This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

This is the eighth HIPAA settlement to be made public by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year for penalties issued.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy