On May 10, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement with Memorial Hermann Health System (MHHS) under which the Houston-area system paid $2.4 million and entered into a Resolution Agreement related to allegations that it publicly disclosed protected health information (PHI) without an authorization. OCRs investigation arose from MHHSs disclosure of a single patients name in a 2015 press release about an incident involving an allegedly fraudulent ID card.
MHHSs press release had been reviewed and approved by its management. Senior management should have known that disclosing a patients name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response, said OCR Director Roger Severino. This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.
Among other things, the Resolution Agreement requires that MHHS (i) update its policies and procedures on safeguarding PHI from impermissible uses and disclosures, (ii) train its workforce members, and (iii) obtain an attestation from each facility that its workforce has been trained on permissible uses and disclosures of PHI, including disclosures to the media.