May 30, 2020

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

Disclosure of a Single Patient’s PHI Leads to Hefty $2.4 Million Settlement

Key Takeaway:

  • Covered Entities must protect patient privacy, even in the midst of an otherwise permissible disclosure to law enforcement.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) continues its active enforcement of the Health Insurance Portability Act of 1996 (HIPAA) with a recent high-profile settlement with Memorial Hermann Health System (MHHS).  MHHS is the largest nonprofit health system in the greater Houston area and employs approximately 24,000 employees across its 13 hospitals and additional specialty clinics.  MHHS paid $2.4 million to OCR and agreed to a two-year corrective action plan to settle potential HIPAA violations that stem from the impermissible disclosure of a single patient’s protected health information (PHI) to the media and others without that patient’s authorization.

The settlement resulted from a September 2015 incident, in which a patient presented herself at one of MHHS’ clinics with an allegedly fraudulent identification card.  MHHS staff immediately alerted the appropriate law enforcement personnel and the patient was arrested.  Although this disclosure of PHI to law enforcement authorities was permissible, MHHS also disclosed the patient’s PHI, including her name, through press releases it issued to 15 media outlets and/or reporters, during meetings its senior leaders held with public officials in response to the events, and in a statement on its website.  OCR initiated its compliance investigation based on these multiple media reports, which suggested that MHHS impermissibly disclosed the patient’s PHI without her authorization.  Based on the Resolution Agreement, OCR also determined that MHHS failed to timely document the sanctions imposed against those members of its workforce who made the disclosure, thus failing to comply with its privacy policies and procedures, and with HIPAA’s Privacy Rule.

The corrective action plan obliges MHHS to do the following:

  1. Develop, maintain and revise its written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules and submit them to OCR for approval.

  2. Distribute its new approved policies and procedures to all members of its workforce and require that all members certify that they have read, understand and will comply with the new standards.

  3. Assess, update and revise, as necessary, its policies and procedures at least annually.

  4. Investigate any notice it receives that a workforce member may have failed to comply with its policies and procedures.

  5. Train its workforce members on its policies and procedures.

This is OCR’s eighth published action since the beginning of 2017 and indicates that the office is continuing to aggressively enforce HIPAA’s privacy and security requirements.  It also suggests that OCR is vigilantly monitoring more than just HIPAA Breach Notification Reports—it is keeping its eyes and ears open to any media reports that involve public disclosures of PHI, covered entities, or their business associates.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

Jennifer R. Breur, Attorney, Drinker Biddle, Healthcare Lawyer

Jennifer R. Breuer represents health care providers and suppliers in transactional, compliance and regulatory matters, with a focus on Stark Law and Anti-Kickback Statute compliance for hospital-physician relationships. Jen also advises on data strategy and privacy law compliance for electronic health records, health information exchanges and other technology platforms. She regularly assists in the development of compliance strategies for ehealth and telemedicine providers.

Prior to attending law school, Jen worked as a strategy consultant to the worldwide pharmaceutical, biotechnology and medical device industries.

Jen is vice chair of Drinker Biddle's Health Care Group and co-chair of the firm’s Women's Leadership Committee.

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...