A Texas health system has agreed to pay $2.4 million to settle potential HIPAA violations stemming from an incident where it named a patient in a press release, authorities announced Wednesday.
Memorial Hermann Health Systems operates 16 hospitals, as well as hospice services and a senior living and nursing care community, in the Houston area. The potential violation occurred in 2015, when a woman who was living in the United States illegally presented a fake identification card during a doctor’s visit. Memorial Hermann alerted authorities, who arrested the woman.
The provider’s disclosure of the woman’s name to law enforcement was permitted under HIPAA, the Department of Health and Human Services said in a press release. But Memorial Hermann erred in publishing a press release on the incident that included the patient’s name, officials said. It also failed to properly document the steps it took to sanction the employees who released the information.
Requests for comment from Memorial Hermann were not returned by production deadline on Thursday.
“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said Roger Severino, director of the HHS’ Office for Civil Rights. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
The provider also agreed to a corrective plan that requires it to update its policies and procedures on protecting patients’ health information, train staff on the new policies, and have all Memorial Hermann facilities attest to their understanding of disclosing patients’ health information.