[BreachExchange] Disclosure of a Single Patient’s PHI Leads to Hefty $2.4 Million Settlement

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 17 20:44:03 EDT 2017


Key Takeaway: Covered Entities must protect patient privacy, even in the
midst of an otherwise permissible disclosure to law enforcement.

The Department of Health and Human Services (HHS), Office for Civil Rights
(OCR) continues its active enforcement of the Health Insurance Portability
Act of 1996 (HIPAA) with a recent high-profile settlement with Memorial
Hermann Health System (MHHS).  MHHS is the largest nonprofit health system
in the greater Houston area and employs approximately 24,000 employees
across its 13 hospitals and additional specialty clinics.  MHHS paid $2.4
million to OCR and agreed to a two-year corrective action plan to settle
potential HIPAA violations that stem from the impermissible disclosure of a
single patient’s protected health information (PHI) to the media and others
without that patient’s authorization.

The settlement resulted from a September 2015 incident, in which a patient
presented herself at one of MHHS’ clinics with an allegedly fraudulent
identification card.  MHHS staff immediately alerted the appropriate law
enforcement personnel and the patient was arrested.  Although this
disclosure of PHI to law enforcement authorities was permissible, MHHS also
disclosed the patient’s PHI, including her name, through press releases it
issued to 15 media outlets and/or reporters, during meetings its senior
leaders held with public officials in response to the events, and in a
statement on its website.  OCR initiated its compliance investigation based
on these multiple media reports, which suggested that MHHS impermissibly
disclosed the patient’s PHI without her authorization.  Based on the
Resolution Agreement, OCR also determined that MHHS failed to timely
document the sanctions imposed against those members of its workforce who
made the disclosure, thus failing to comply with its privacy policies and
procedures, and with HIPAA’s Privacy Rule.

The corrective action plan obliges MHHS to do the following:

- Develop, maintain and revise its written policies and procedures to
comply with the HIPAA Privacy, Security and Breach Notification Rules and
submit them to OCR for approval.

- Distribute its new approved policies and procedures to all members of its
workforce and require that all members certify that they have read,
understand and will comply with the new standards.

- Assess, update and revise, as necessary, its policies and procedures at
least annually.

- Investigate any notice it receives that a workforce member may have
failed to comply with its policies and procedures.

- Train its workforce members on its policies and procedures.

This is OCR’s eighth published action since the beginning of 2017 and
indicates that the office is continuing to aggressively enforce HIPAA’s
privacy and security requirements.  It also suggests that OCR is vigilantly
monitoring more than just HIPAA Breach Notification Reports—it is keeping
its eyes and ears open to any media reports that involve public disclosures
of PHI, covered entities, or their business associates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170517/6731f8b9/attachment.html>

More information about the BreachExchange mailing list