Hefty Penalty for Improper Disclosure of One Patient's InfoWhy Was Fine Imposed on Memorial Hermann Health System So High?
Federal regulators have slapped a Houston-based healthcare system with a $2.4 million HIPAA settlement stemming from the disclosure of one patient's information to the news media without the individual's consent.
See Also: DevOps - Security's Big Opportunity
In a May 10 statement, the Department of Health and Human Services says Memorial Hermann Health System, which operates 16 hospitals in the Houston area, has agreed to pay the financial settlement and adopt a comprehensive corrective action plan to settle potential violations of the HIPAA Privacy Rule.
The HHS Office for Civil Rights initiated a compliance review of MHHS based on multiple news media reports in 2015 suggesting that the health system disclosed a patient's protected health information without the individual's authorization, which is a violation of HIPAA, the statement says.
HHS says that in September 2015, a patient at one of MHHS's clinics presented an allegedly fraudulent identification card to office staff. "The staff immediately alerted appropriate authorities of the incident, and the patient was arrested," OCR notes.
While that disclosure of PHI to law enforcement was permitted under HIPAA, "MHHS subsequently published a press release concerning the incident in which MHHS senior management approved the impermissible disclosure of the patient's PHI by adding the patient's name in the title of the press release," OCR notes. "In addition, MHHS failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient's information."
OCR Director Roger Severino says senior management "should have known that disclosing a patient's name on the title of a press release was a clear HIPAA privacy violation that would induce a swift OCR response. This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere."
In addition to the monetary settlement, a corrective action plan requires MHHS to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.
The corrective action plan also requires all Memorial Hermann facilities to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.
MHHS declined to comment on the settlement.
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the size of the monetary settlement in this case involving one patient is eyebrow-raising. "I'm surprised a bit by the amount, but this may have reflected a cavalier attitude about this issue from management," he says.
Adam Greene, a privacy attorney at the law firm Davis Wright Tremaine, says the failure to apply sanctions to staff "may have accounted for a significant portion of the settlement amount - possibly more than the disclosures themselves - highlighting the importance of applying some sort of sanction any time there is a HIPAA violation," Greene notes. "This can be retraining or a warning, if consistent with a sanctions policy."
The amount of the settlement is "surprisingly high, in light of the limited timeframe during which this occurred," he adds. "In contrast, many other large settlements related to systematic issues that allegedly occurred over many years. I suspect that the large size of the health system heavily influenced the amount of the settlement."
Greene points out that that HHS interprets "protected health information" broadly to include any information that identifies someone as a patient. "If someone - such as the media - knows that someone was a patient, this doesn't mean that a provider can release additional PHI or even confirm that the person was a patient. Every patient's PHI is protected under HIPAA, regardless of immigration status - this case apparently involved a patient who was allegedly in the U.S. illegally - or if they potentially commit a crime -such as using falsified identification or identity theft - at the provider."
Nahra suggests that the main lesson from this settlement "is that covered entities can't publicly disclose patient information as a general matter," he adds. "That might be this kind of situation, or it might be where a patient has gone public with some kind of complaint. In those situations, the covered entity doesn't get to respond or release publicly without a specific permitted basis, which will seldom exist."
The MHHS case isn't OCR's first HIPAA enforcement action related to unauthorized disclosure of patient information to the news media.
In 2016, OCR announced a $2.2 million settlement with New York Presbyterian Hospital after the agency determined the hospital allowed a TV crew to film a patient who was dying and another person in significant distress, even after a medical professional urged the crew to stop (see NY Presbyterian Slapped with Second HIPAA Fine).
In that case, OCR said that by allowing individuals receiving urgent medical care to be filmed without their authorization, the hospital "blatantly violate the HIPAA rules, which were specifically designed to prohibit the disclosure of individual's PHI, including images, in circumstances such as these."
Recent OCR Settlements
The settlement with Memorial Hermann is OCR's eighth HIPAA enforcement action so far in 2017. Those settlements include a total of nearly $17 million in penalties.
Three settlements were announced in April:
- A $2.5 million settlement and corrective action plan with wireless health services provider Cardionet based in Malvern, Pennsylvania, for a case involving a stolen unencrypted laptop computer;
- A $400,000 resolution agreement and corrective action plan with Metro Community Provider Network, a Colorado-based federally qualified health center, to settle potential noncompliance with the HIPAA privacy and security rules following OCR's investigation into a 2012 breach involving a phishing attack;
- A $31,000 settlement and corrective action plan with the Center for Children's Digestive Health in Illinois for a case involving the lack of a business associate agreement with FileFax, a paper record storage vendor.