An organization in Texas has agreed to a $2.4 million monetary settlement and a comprehensive corrective action plan for an impermissible disclosure in a press release. The impermissible disclosure in a press release follows a permissible disclosure of protected health information (PHI) to law enforcement.
According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announcement, Memorial Herman Health System disclosed a patient's PHI without authorization. In 2015, a patient at a clinic presented what appeared to be a fraudulent identification card to office staff. The staff notified law enforcement of the incident and the patient was arrested. While this disclosure to law enforcement was permitted under HIPAA Rules, the subsequent disclosure was not.
Memorial Herman Health System published a press release concerning the incident which was approved by senior management. The problem is the press release included an impermissible disclosure of the patient's PHI because the patient's name was added to the title of the press release.
To settle the impermissible disclosure Memorial Herman Health System agreed to:
- $2.4 million monetary settlement
- Update policies and procedures on safeguarding PHI from impermissible uses and disclosures
- Training staff on properly using and disclosing PHI
- Attesting to their understanding of permissible uses and disclosures, including to the media
This settlement is an important reminder of our obligation to safeguard patient PHI. We must do our best to avoid impermissible uses and disclosures, including disclosures to the media. Before using a patient's name in the media you must obtain his or her permission.
If you have any questions please do not hesitate to contact us by phone 1-855-427-0427 or email[email protected].