Federal regulators slapped a Houston-based healthcare system with a $2.4 million HIPAA settlement stemming from the disclosure of one patient’s information to the news media without the individual’s consent. Do you think that’s excessive? Read on … the details are quite interesting.
In a May 10 statement, the Department of Health and Human Services (HHS) says Memorial Hermann Health System, which operates 16 hospitals in the greater-Houston area, has agreed to pay the $2.4M financial settlement and adopt a comprehensive corrective action plan to fully settle potential violations of the HIPAA Privacy Rule.
The ‘Patient’ information released was a fraudster
How this all came about, was that back in September of 2015, a patient at one of MHHS’s clinics presented an allegedly fraudulent ID card to office staff. “The staff immediately alerted appropriate authorities of the incident, and the patient was arrested,” the Department of Health and Human Services Office of Civil Right noted.
While that particular disclosure of Personal Health Information (PHI) to law enforcement agencies is permitted under HIPAA, “MHHS subsequently published a press release concerning the incident in which MHHS senior management approved the impermissible disclosure of the patient’s PHI by adding the patient’s name in the title of the press release,” OCR notes. “In addition, MHHS failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information.”
So – handing the fraudster over to law enforcement – OK, but writing a press-release with the fraudster’s name included: HIPAA violation.
OCR’s Director, Roger Severino, believes that senior management “should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA privacy violation that would induce a swift OCR response. This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
Organizations with regulatory oversight must be ever-mindful of disclosing even the most innocuous information – even a name of a patient in this case was enough to get regulatory oversight to kick in, and resulted in a large fine.
Do you wonder when a duty of care attaches? – Whether the ‘patient’ was covered by merely being on hospital property, or whether they have to obtain care before HIPAA rules attach… to be safe, you should consider HIPAA applies immediately, even to fraudsters.
Implementation of even a modest Data Loss Prevention – or DLP – solution, could have and would have highlighted the use of PHI in the document, but we’re not sure if the admin or hospital staff would have over-ridden the warning and released the press release anyway. At least getting the warning might have cause the hospital staff to think twice.