- Texas-based Memorial Hermann Health System (MHHS) recently agreed to a $2.4 million OCR HIPAA settlement following multiple allegations of inappropriate PHI disclosure.
OCR conducted a compliance review after numerous media reports claimed that MHHS disclosed a patient’s PHI without authorization.
An MHHS patient presented an allegedly fraudulent identification card to a staff member in September 2015, OCR explained. That employee alerted authorities and the patient was arrested.
While the PHI disclosure to law enforcement is allowed under HIPAA in that situation, OCR noted that the subsequent press release MHHS published had the patient’s name in the press release title.
“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” OCR Director Roger Severino said in a statement. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
OCR’s investigation also found that the health system “impermissibly disclosed” the patient’s PHI to 15 media outlets and/or reporters between September 15, 2015, and September 19, 2015.
“Following the publications, MHHS' senior leaders further disclosed the patient's PHI during three meetings which occurred on September 17, September 21, and September 25, 2015, with an advocacy group, state representatives, and a state senator, in response to the events,” the corrective action plan stated.
The patient’s PHI was also posted in an MHHS statement posted to the health system’s website.
MHHS also failed to timely document the sanctions put to staff members who failed to comply with the health system’s privacy policies and procedures, according to OCR.
Along with the $2.4 million payment, MHHS also agreed to adhere to a corrective action plan.
The health system must “develop, maintain, and revise, as necessary” its written policies and procedures that relate to PHI privacy and security. Additionally, MHHS needs to distribute those policies and procedures to all workforce members and ensure that those individuals sign a written or electronic initial compliance certification.
Proper PHI disclosures and uses must be included in those policies, and for how such disclosures can be made to the media and law enforcement, the corrective action plan stated.
The policies and procedures also need to specify which MHHS workforce members may be contacted for inquiries or concerns regarding HIPAA compliance. Internal reporting procedures must be followed, and workforce members need to know who the designated person or office is within MHHS that records potential violations.
“Application and documentation of appropriate sanctions (which may include retraining or other instructive corrective action, depending on the circumstances) against members of MHHS' workforce, including senior level management, who fail to comply with the Privacy, Security or Breach Notification Rules or MHHS' privacy and security policies and procedures,” must also be included, OCR added.
Previous OCR HIPAA settlements have also centered on the issue of improper PHI disclosure.
Complete P.T., Pool & Land Physical Therapy, Inc. agreed to a $25,000 settlement in February 2016 after a 2012 complaint.
OCR was informed that Complete P.T. had reportedly impermissibly disclosed patient PHI when the provider “posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.”
“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes,” former OCR Director Jocelyn Samuels said at the time. “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”