Health System Paid $2.4 Million Settlement After Identification in a Press Release of a Patient Who Was Engaged in Fraud

Kimberly Ruppel
Dickinson Wright
Contact
LinkedIn
Facebook
X
Send
Embed


The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $2,400,000 settlement with Memorial Hermann Health System (“MHHS”) to resolve an investigation of an unauthorized disclosure of protected health information (“PHI”) as a potential violation of the Privacy Rule of the Health Insurance Portability and Accountability Act (“HIPAA”).  In addition to payment of the settlement, MHHS agreed to enter into a Corrective Action Plan with provisions for training and documenting compliance efforts.  

MHHS is the largest not-for-profit health system in southeast Texas, consisting of 13 hospitals, 8 cancer centers, 3 heart and vascular institutes and 27 sports medicine and rehabilitation centers, and employs approximately 24,000 people.  

In September 2015, a patient at one of MHHS’s clinics presented an allegedly fraudulent identification card to office staff.  The staff person alerted appropriate authorities and the patient was arrested.  So far, there was no violation of HIPAA because the staff person was disclosing PHI in furtherance of permissible law enforcement efforts.

Where things began to go awry for MHHS was the initial publication of a press release identifying the patient by name in the title of the release, which was issued to fifteen media outlets and/or reporters.  MHHS further compounded its error by disclosing the patient’s name during three meetings with an advocacy group, state representatives, and a state senator.  To make matters worse, MHHS then disclosed the patient’s name in a statement on MHHS’s website.  

None of these disclosures were authorized by the patient, and MHHS senior leadership was involved.  Further, MHHS failed to document any sanctions imposed against its violators.  These factors may explain why the OCR required a particularly high settlement amount.   

Lessons learned:  (1) disclosure of PHI for law enforcement purposes does not include identification of the alleged criminal to other parties; (2) HIPAA training is important for all employees, not just medical providers and treaters and administration who deal more directly with patients; (3) sanctions against offending employees must be promptly implemented and documented.
 
 
 
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson Wright | Attorney Advertising

Written by:

Dickinson Wright
Dickinson Wright
Contact
more
less

Dickinson Wright on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide