The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently reported on their compliance review of Memorial Hermann Health System (MHHS). MHHS has agreed to pay $2.4 million and adopt a comprehensive corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The CAP requires all MHHS facilities to attest to their understanding of permissible uses and disclosures of protected health information (PHI), including disclosures to the media. OCR’s compliance review was predicated on multiple media reports suggesting that MHHS disclosed a patient’s PHI without an authorization. A patient presented an allegedly fraudulent identification card to office staff, who alerted appropriate authorities of the incident, and the patient was arrested. This disclosure of PHI to law enforcement was permitted under the HIPAA Rules. However, MHHS subsequently published a press release concerning the incident. MHHS senior management approved adding the patient’s name to the title of the press release which was an impermissible disclosure of the patient’s PHI. In addition, MHHS failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information.
The full article is available at: