Houston-based Memorial Hermann Health System will pay $2.4 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it inappropriately disclosed patient information.
In September 2015, a patient presented a reportedly fraudulent identification card to office staff at one of Memorial Hermann's clinics. The staff immediately alerted appropriate authorities, leading to the patient's arrest.
Following the incident, Memorial Hermann issued a news release, which included the patient's name in its headline. HHS' Office for Civil Rights called this decision an "impermissible disclosure" of protected health information by the health system's senior management.
In its compliance review, OCR also determined Memorial Hermann failed to document the sanctioning of workforce members involved in the decision in a timely manner.
"Senior management should have known that disclosing a patient's name on the title of a press release was a clear HIPAA privacy violation that would induce a swift OCR response," said OCR Director Roger Severino. "This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere."
A Memorial Hermann spokesperson declined Becker's Hospital Review's request for comment.
Click here to view the HHS release.