OCR Settles With Texas Health System for $2.4 Million for Disclosing PHI to Media In a Press Release

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff and requiring all of the facilities in the system to “attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.”

The OCR commenced its investigation following media accounts reporting that MHHS disclosed a patient’s PHI without the patient’s authorization. The underlying facts are that in September 2015, a patient presented what appeared to be a fraudulent identification card to office staff when seeking medical care. The staff alerted law enforcement about the alleged fraudulent identification card, and the patient was arrested. According to the OCR, the disclosure to law enforcement was permitted under HIPAA. However, senior management then approved a press release about the incident, which included the patient’s name in the title of the press release. The OCR found that this was an impermissible disclosure of the patient’s PHI.

In its press release, the OCR stated “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response…This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statement to the public and elsewhere.”

This is not the first OCR fine coming from a health care entity’s release of PHI to the media. Shasta Regional Medical Center settled with the OCR in June 2013 for $275,000 when members of the senior management “intentionally” disclosed a patient’s PHI “to multiple media outlets on at least three separate occasions” without the patient’s authorization and shared details about the patient’s medical condition, diagnosis and treatment in an email to its entire workforce.

The facts of the two cases are similar, but today’s fine is a stark reminder to health care entities to be cautious when interacting with the media.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Robinson+Cole Data Privacy + Security Insider

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide