Texas health system to pay HHS $2.4 million for patient information breach

The Texas health system Memorial Hermann Health System (MHHS) has agreed to pay HHS $2.4 million and to implement a corrective action plan after a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

MHHS, with a total of 16 hospitals and specialty services, will update its policies and procedure regarding the security of patient information from impermissible uses as well as training their staff. MHSS facilities will also be examined on knowledge of uses and disclosures of patient health information.

The settlement payment and comprehensive plan comes after the HHS Office for Civil Rights (OCR) review for compliance after reports of an unauthorized disclosure of patient health information. In September 2015, a patient used an allegedly fraudulent ID card and was arrested. However, MHHS named the patient and title in a following press release, disclosing health information. MHHS also did not document the approval of the press release from employees for the disclosure of patient information.

“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”