A HIPAA breach arising from disclosure on a press release issued by Memorial Hermann Health System (MHHS) in September 2015 has led to the organization agreeing to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million.
MHHS is a 16-hospital health system which os located in Texas, treating patients in the Greater Houston area. In September, an individual visited a MHHS clinic and presented a fake identification card to hospital workers.
The fraudulent ID card was identified as such by workers at the hospital, law enforcement agencies were notified and the patient was apprehended. The hospital released the identification of the patient to law enforcement agencies, which is permitted as per HIPAA Rules.
However, the following steps taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS release a press brief about the incident which included the patients name in the title. That press release was approved before release by MHHS senior management, despite the fact that naming the patient constitutes an impermissible disclosure of PHI.
The incident was reported across the media and a complaint was submitted to the OCR, leading to an investigation. The OCR review revealed that the press release had been distributed to fifteen media outlets. On three occasions after the issuing of the press release, the patient’s identity was revealed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was identified was also published on the MHHS website.
These unauthorized releases, which happened between September 15 and October 1, 2015 constituted a knowing and intentional failure to secured the PHI of the patient. MHHS was also found to have failed to record the sanctions imposed against the members of staff who breached the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).
Along with the sizable payment to OCR, Memorial Hermann Health System has committed to adopting a corrective action plan that requires policies and procedures to be updated and staff trained to avoid further impermissible disclosures of PHI. All MHHS facilities must also confirm that they understand the allowable disclosures and uses of PHI.
HIPAA financial fines are often issued for large scale breaches of PHI arising from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered organizations for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered organization for a breach of a single patient’s PHI.
OCR Director Roger Severino issued a statement about the agreed settlement commenting “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to say that “this case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
This is the eighth HIPAA settlement with OCR so far in 2017. In 2016, a record-setting year for HIPAA settlements, there were 12 settlements reached with covered organizations to resolve HIPAA violations and one CMP issued. At the current rate, 2017 looks set to be another record-setting year.
The steep rise in HIPAA finees should serve as a warning to covered organizations that any violation of HIPAA Rules could result in a large financial penalty.