Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI

An unauthorized disclosure of a patient’s name has resulted in a Memorial Hermann Health System HIPAA compliance fine.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle potential HIPAA Privacy Rule violations with Memorial Hermann Health System with the payment of a $2.4 million penalty. Memorial Hermann Health System must also adopt a corrective action plan to ensure HIPAA Rules are followed in the future.

MHHS is a not-for-profit, 16-hospital health system based in Southeast Texas. OCR launched an investigation following complaints made about an unauthorized disclosure of a patient’s name to the media in September 2015.

In September 2015, a patient attempted to use a fraudulent ID card to obtain medical services at a MHHS hospital. The fraudulent use of the card was noticed by staff and law enforcement was called and the woman was arrested. The identity of the woman was disclosed to law enforcement, which is permitted under HIPAA Rules.

What is not permitted under HIPAAA Rules is the disclosure of the individual’s name to the media. A press release was issued in which the patient’s name was disclosed in the title. That press release was distributed to 15 media agencies, and had been signed off by senior management. MHHS was also discovered to have disclosed the name of the patient in three separate meetings, to a state senator, state officials, and an advocacy group.

OCR also discovered that in addition to the above improper disclosures, MHHS had failed to document the sanctions against the individuals concerned in a timely manner after the incident.

OCR concluded that MHHS had failed to secure patients’ PHI in its possession between September 15, 2015, and October I, 2015. That failure had occurred knowingly and intentionally, hence the size of the Memorial Hermann Health System HIPAA fine. MHHS had also impermissibly disclosed the identity of a patient on multiple occasions between September 15, 2015, and September 19, 2015.

To prevent further impermissible disclosures, MHHS is required to adopt a corrective action plan that includes developing and implementing new policies and procedures to ensure that patient privacy is protected and patients’ PHI is secured. Staff must be trained on the new procedures and must be made aware of allowable disclosures and acceptable uses of PHI.

New OCR director, Roger Severino, explained that this was a clear violation of the HIPAA Privacy Rule, and that senior management should have been aware that was the case. He said MHHS should have been aware that such actions would induce “a swift OCR response.” Severino pointed out, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of