May 23, 2017

May 23, 2017

Subscribe to Latest Legal News and Analysis

May 22, 2017

Subscribe to Latest Legal News and Analysis

Disclosure of a Single Patient’s PHI Leads to Hefty $2.4 Million Settlement

Key Takeaway:

  • Covered Entities must protect patient privacy, even in the midst of an otherwise permissible disclosure to law enforcement.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) continues its active enforcement of the Health Insurance Portability Act of 1996 (HIPAA) with a recent high-profile settlement with Memorial Hermann Health System (MHHS).  MHHS is the largest nonprofit health system in the greater Houston area and employs approximately 24,000 employees across its 13 hospitals and additional specialty clinics.  MHHS paid $2.4 million to OCR and agreed to a two-year corrective action plan to settle potential HIPAA violations that stem from the impermissible disclosure of a single patient’s protected health information (PHI) to the media and others without that patient’s authorization.

The settlement resulted from a September 2015 incident, in which a patient presented herself at one of MHHS’ clinics with an allegedly fraudulent identification card.  MHHS staff immediately alerted the appropriate law enforcement personnel and the patient was arrested.  Although this disclosure of PHI to law enforcement authorities was permissible, MHHS also disclosed the patient’s PHI, including her name, through press releases it issued to 15 media outlets and/or reporters, during meetings its senior leaders held with public officials in response to the events, and in a statement on its website.  OCR initiated its compliance investigation based on these multiple media reports, which suggested that MHHS impermissibly disclosed the patient’s PHI without her authorization.  Based on the Resolution Agreement, OCR also determined that MHHS failed to timely document the sanctions imposed against those members of its workforce who made the disclosure, thus failing to comply with its privacy policies and procedures, and with HIPAA’s Privacy Rule.

The corrective action plan obliges MHHS to do the following:

  1. Develop, maintain and revise its written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules and submit them to OCR for approval.

  2. Distribute its new approved policies and procedures to all members of its workforce and require that all members certify that they have read, understand and will comply with the new standards.

  3. Assess, update and revise, as necessary, its policies and procedures at least annually.

  4. Investigate any notice it receives that a workforce member may have failed to comply with its policies and procedures.

  5. Train its workforce members on its policies and procedures.

This is OCR’s eighth published action since the beginning of 2017 and indicates that the office is continuing to aggressively enforce HIPAA’s privacy and security requirements.  It also suggests that OCR is vigilantly monitoring more than just HIPAA Breach Notification Reports—it is keeping its eyes and ears open to any media reports that involve public disclosures of PHI, covered entities, or their business associates.

©2017 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Katherine Armstrong, Data Privacy Lawyer, Drinker Biddle Law firm
Counsel

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

202-230-5674
Jennifer Breuer, health care, attorney, Drinker Biddle, law firm
Partner

Jennifer R. Breuer is Vice Chair of Drinker Biddle's Health Care Practice Group and Co-Chair of the firm’s Women's Leadership Committee. Jennifer represents health care providers and suppliers in transactional, compliance and regulatory matters, with a focus on Stark Law and Anti-Kickback Statute compliance for hospital-physician relationships and data strategy/privacy law compliance for electronic health records, health information exchanges and other technology platforms. She also regularly assists in the development of compliance strategies for ehealth and telemedicine providers.

312-569-1256
Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney
Associate

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...

312-569-1268