Memorial Hermann fined $2.4 million for HIPAA violations
Memorial Hermann Health System in Texas will pay a $2.4 million fine and enter into a two-year corrective action plan after disclosing a patient’s protected health information without the patient’s authorization.
In September 2015 a patient at a MHHS clinic presented a fraudulent identification card to office staff, which contacted police, and the patient was arrested.
MHHS issued multiple press releases to 15 media outlets on the incident and added the patient’s name in the title of the release; it also disclosed the patient’s protected information during three meetings with an advocacy group, state representatives and a state senator, as well as on its website.
Further, the HHS Office for Civil Rights found during an investigation that the organization also failed to document in a timely manner the sanctioning of workforce members that disclosed the patient’s name.
“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear privacy violation that would induce a swift OCR response,” OCR Director Roger Severino said in a statement. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
Among other requirements, the corrective action plan, available here, requires all MHHS facilities to attest their understanding of permissible uses and disclosures of protected health information, including disclosures to the media.
Memorial Hermann declined to comment.