May 26, 2017

May 25, 2017

Subscribe to Latest Legal News and Analysis

May 24, 2017

Subscribe to Latest Legal News and Analysis

May 23, 2017

Subscribe to Latest Legal News and Analysis

Memorial Hermann’s Use of Patient Name in Press Release Leads to $2.4 Million HIPAA Settlement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas.  Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.  In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.

The original incident occurred in September 2015 when a patient presented a fake Texas driver’s license upon arrival for a scheduled visit at a Memorial Hermann gynecologic clinic.  After the clinic staff asked for and the patient was unable to provide another form of identification, the staff called the Texas Department of Public Safety (DPS) for assistance in verifying the patient’s driver’s license.  DPS told the office staff to contact local law enforcement, who determined that the identification card was fraudulent and decided to arrest the patient during her visit to the clinic.

After the incident became public, Memorial Hermann came under attack by immigration activists because the patient was undocumented.  However, as OCR pointed out in its press release, Memorial Hermann’s disclosure of the patient’s name and other identifying information to law enforcement was permissible under HIPAA’s Privacy Rule.

The HIPAA violation occurred after the incident, when Memorial Hermann used the patient’s name in the title of a press release about the incident.  The settlement stems from Memorial Hermann’s unauthorized disclosure of the patient’s name in the press release, which had been approved by senior management, and its failure to timely document the sanctioning of relevant employees for disclosing the patient’s name.

As we’ve previously discussed, entities covered by HIPAA must train their workforce and develop policies and procedures on permissible uses and disclosures of protected health information (PHI). This settlement highlights the need for such training and policies and procedures with respect to disclosures of PHI to the media and law enforcement in particular. Entities covered by HIPAA should ensure that their workforce understands when disclosures to law enforcement are permissible but that permissible disclosures to law enforcement do not allow the entity to use or disclosure PHI in an otherwise impermissible manner. Furthermore, such entities should have policies in place that prohibit anyone from providing comments about patient matters to the media unless such comments have been reviewed and approved by the Privacy Officer or another individual in charge of HIPAA-related matters.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney
Associate

Sarah Beth’s practice focuses on advising health care providers, PBMs, and laboratories on a variety of regulatory issues.

Prior to joining Mintz Levin, Sarah Beth worked as a law clerk with the health staff of the US Senate Committee on Finance, where she researched policy, regulations, and legislation regarding commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act. She also drafted legislation.

In addition, Sarah Beth worked as a law clerk for a legal practice in Washington, DC. Her...

202.434.7453