Key Takeaway:

• Covered Entities must protect patient privacy, even in the midst of an otherwise permissible disclosure to law enforcement.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) continues its active enforcement of the Health Insurance Portability Act of 1996 (HIPAA) with a recent high-profile settlement with Memorial Hermann Health System (MHHS).  MHHS is the largest nonprofit health system in the greater Houston area and employs approximately 24,000 employees across its 13 hospitals and additional specialty clinics.  MHHS paid $2.4 million to OCR and agreed to a two-year corrective action plan to settle potential HIPAA violations that stem from the impermissible disclosure of a single patient’s protected health information (PHI) to the media and others without that patient’s authorization.

The settlement resulted from a September 2015 incident, in which a patient presented herself at one of MHHS’ clinics with an allegedly fraudulent identification card.  MHHS staff immediately alerted the appropriate law enforcement personnel and the patient was arrested.  Although this disclosure of PHI to law enforcement authorities was permissible, MHHS also disclosed the patient’s PHI, including her name, through press releases it issued to 15 media outlets and/or reporters, during meetings its senior leaders held with public officials in response to the events, and in a statement on its website.  OCR initiated its compliance investigation based on these multiple media reports, which suggested that MHHS impermissibly disclosed the patient’s PHI without her authorization.  Based on the Resolution Agreement, OCR also determined that MHHS failed to timely document the sanctions imposed against those members of its workforce who made the disclosure, thus failing to comply with its privacy policies and procedures, and with HIPAA’s Privacy Rule.

The corrective action plan obliges MHHS to do the following:

1. Develop, maintain and revise its written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules and submit them to OCR for approval.

2. Distribute its new approved policies and procedures to all members of its workforce and require that all members certify that they have read, understand and will comply with the new standards.

3. Assess, update and revise, as necessary, its policies and procedures at least annually.

4. Investigate any notice it receives that a workforce member may have failed to comply with its policies and procedures.

5. Train its workforce members on its policies and procedures.

This is OCR’s eighth published action since the beginning of 2017 and indicates that the office is continuing to aggressively enforce HIPAA’s privacy and security requirements.  It also suggests that OCR is vigilantly monitoring more than just HIPAA Breach Notification Reports—it is keeping its eyes and ears open to any media reports that involve public disclosures of PHI, covered entities, or their business associates.