July 8, 2020

Volume X, Number 190

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

Memorial Hermann’s Use of Patient Name in Press Release Leads to $2.4 Million HIPAA Settlement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas.  Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.  In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.

The original incident occurred in September 2015 when a patient presented a fake Texas driver’s license upon arrival for a scheduled visit at a Memorial Hermann gynecologic clinic.  After the clinic staff asked for and the patient was unable to provide another form of identification, the staff called the Texas Department of Public Safety (DPS) for assistance in verifying the patient’s driver’s license.  DPS told the office staff to contact local law enforcement, who determined that the identification card was fraudulent and decided to arrest the patient during her visit to the clinic.

After the incident became public, Memorial Hermann came under attack by immigration activists because the patient was undocumented.  However, as OCR pointed out in its press release, Memorial Hermann’s disclosure of the patient’s name and other identifying information to law enforcement was permissible under HIPAA’s Privacy Rule.

The HIPAA violation occurred after the incident, when Memorial Hermann used the patient’s name in the title of a press release about the incident.  The settlement stems from Memorial Hermann’s unauthorized disclosure of the patient’s name in the press release, which had been approved by senior management, and its failure to timely document the sanctioning of relevant employees for disclosing the patient’s name.

As we’ve previously discussed, entities covered by HIPAA must train their workforce and develop policies and procedures on permissible uses and disclosures of protected health information (PHI). This settlement highlights the need for such training and policies and procedures with respect to disclosures of PHI to the media and law enforcement in particular. Entities covered by HIPAA should ensure that their workforce understands when disclosures to law enforcement are permissible but that permissible disclosures to law enforcement do not allow the entity to use or disclosure PHI in an otherwise impermissible manner. Furthermore, such entities should have policies in place that prohibit anyone from providing comments about patient matters to the media unless such comments have been reviewed and approved by the Privacy Officer or another individual in charge of HIPAA-related matters.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VII, Number 138


About this Author

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney

Sarah Beth’s practice involves a variety of regulatory, transactional, and enforcement defense matters for clinical laboratories, hospitals, pharmacies, insurers, and other health care clients.

Sarah Beth routinely advises clients on a wide variety of federal and state health care regulatory issues, including anti-kickback and self-referral laws, licensure and scope of practice rules, telemedicine, certificate of need applications, food and drug law, and HIPAA compliance. She also handles licensure and regulatory filings for clinical laboratories and other health care providers....