On May 10, 2017, the U.S. Health and Human Services Department Office for Civil Rights (“OCR”) announced an agreement whereby Memorial Hermann Health System (“MHHS”) will pay a $2.4 million penalty for releasing a patient’s name in a press release.  According to the resolution agreement, in September 2015, a patient at an MHHS clinic presented an allegedly fraudulent identification card to office staff.  The staff notified law enforcement and the patient was arrested.  Although notification to law enforcement did not violate the HIPAA rules, it wa a violation to include the patient’s name in the title of a press release regarding the incident and to disclose the patient’s protected health information (“PHI”) during meetings with an advocacy group, state representatives, and a state senator, in response to the events.

There are a number of lessons to be learned from this settlement:

  • Confirm that senior management, as well as workforce members and subcontractors, understand the HIPAA rules.
  • Thoroughly train press and communications personnel to be alert for information that is protected by HIPAA and must not be disclosed.
  • Review and regularly update HIPAA policies and procedures.
  • Obtain patient consent before disclosing patient names on a website or in a press release.
  • Do not discuss patient PHI with the media or public officials without patient consent.
  • Be sure to document, in a timely manner, any sanctions imposed upon workforce members who fail to comply with the entity’s privacy policies and procedures or violate the HIPAA rules.

The consequences of a HIPAA violation can be severe, so any entity that handles PHI should be diligent in HIPAA compliance.