June 21, 2017

June 21, 2017

Subscribe to Latest Legal News and Analysis

June 20, 2017

Subscribe to Latest Legal News and Analysis

June 19, 2017

Subscribe to Latest Legal News and Analysis

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to Media and Public Officials

The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a May 10, 2017 press release stating that Memorial Herman Health System, a Texas-based not-for-profit health system (“MHHS”), agreed to pay $2.4M and enter into a two year corrective action plan (“CAP”) to settle potential HIPAA violations for alleged disclosure of protected health information (“PHI”) without the patient’s authorization. The CAP requires MMHS, among other things, to submit an implementation report and an annual report to HHS on MHHS’ compliance with the CAP.

According to the press release, in September 2015, a patient at one of MHHS’ clinics attempted to use an allegedly fraudulent identification card. MHHS staff immediately alerted appropriate authorities of the incident, and the patient was arrested. According to the resolution agreement, between September 15, 2015, and September 19, 2015, MHHS impermissibly disclosed the patient's PHI through press releases issued to 15 media outlets and/or reporters. MHHS' senior leaders further disclosed the patient's PHI during 3 meetings with an advocacy group, state representatives, and a state senator. MHHS also disclosed the patient's PHI in a statement on its website, without obtaining the patient's written authorization. OCR further concluded that MHHS “failed to timely document the sanctioning of its workforce members” for the violations. 

“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This enforcement action is a reminder that even though disclosure of PHI is permitted under the HIPAA Rules (in this case for law enforcement purposes), a permitted disclosure allowed for one purpose does not necessarily mean you can disclose that same PHI for another purpose or that other restrictions do not apply.

© Polsinelli PC, Polsinelli LLP in California

TRENDING LEGAL ANALYSIS


About this Author

Jean Marie R. Pechette, Polsinelli, Business Strategy Attorney, Life Sciences Industries lawyer
Shareholder

Jean Pechette is a creative yet practical thinker who partners with clients and fully engages in assisting them to achieve their matter-specific goals by first understanding their overall business strategies. Jean has over 20 years of experience in information technology, privacy and intellectual property law, with a focus on health care and life sciences industries, including serving as a division general counsel for a Fortune 50 company.  She brings to clients a unique perspective to help them navigate novel and complex technology-related problems.

312.873.3690
Thomas Kiser, Polsinelli, nonprofit medical centers lawyer, Healthcare Litigation
Shareholder

Tom Kiser draws upon a rich history of working for a nonprofit consortium of academic medical centers and their affiliated hospitals. Prior to joining Polsinelli, he served as Vice President and General Counsel from 2009 through 2015 at University HealthSystem Consortium, an Illinois nonprofit cooperative whose membership included every nonprofit academic medical center in the United States. As Vice President and General Counsel, he oversaw and managed all corporate legal work; served as corporate secretary; and oversaw all corporate transactions and contract negotiations. For current clients, he leverages his experience overseeing the regulatory compliance of one of the largest academic medicine data bases in the country. This background allows him to see things from the client’s perspective and to craft solutions to issues that can impact an organization’s ability to achieve its business goals.

312-463-6327