Yesterday the Office for Civil Rights (OCR) reported a $2.4 million settlement with the Memorial Hermann Health System (MHHS) in Houston, Texas. MHHS also agreed to a comprehensive corrective action plan to improve its HIPAA compliance. MHHS is the largest not for profit health system in southeast Texas operating sixteen hospitals and numerous specialty services.
Although MHHS was called out for a HIPAA violation, it has also received many national and regional awards and recognition over the years for quality care. By all accounts MHHS is a valuable resource in healthcare and an important member of the greater Houston community.
What is remarkable about this settlement is that it was triggered by the disclosure of protected health information (PHI) of one patient – not the more common multiple patient disclosures, many of which have resulted in smaller fines. The patient was the subject of a law enforcement inquiry, and MHHS had lawfully disclosed PHI to law enforcement authorities, but then MHHS unlawfully disclosed the patient’s name in a press release about the matter.
“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino.
In addition to a $2.4 million settlement, a corrective action plan requires MHHS to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The corrective action plan also requires all MHHS facilities to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.
This is clear evidence that HIPAA enforcement continues in 2017, and those who are not paying attention need to start. OCR is agnostic when it comes to reputation or quality of the institutions it regulates. The best health care providers in the country will be audited and fined if their policies don’t measure up. Check out The HIPAA E-Tool® to see what a comprehensive solution can do to protect patient privacy and reduce your risk of inviting OCR scrutiny.