If you ever wonder, “how serious can disclosure of Protected Health Information (“PHI”) really be?” consider the case of one of the nation’s most prestigious health systems. According to a press release of May 10, 2017, Memorial Hermann Health System (“Memorial Hermann”) has agreed to pay $2.4 million ($2,400,000.00) to the U.S. Department of Health and Human Services (“HHS”) and adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule.
In 2015, Blanca Borrego, a woman from Mexico, presented a fake Texas driver's license when she checked in for an appointment at a Memorial Hermann clinic. The clinic staff reported the fake ID to the Sheriff’s department, and Ms. Borrego was arrested. So far, no HIPAA violation.
However, Memorial Hermann subsequently published a press release concerning the incident in which senior management approved disclosure of the Ms. Borrego’s identity by adding her name in the title of the press release. The HHS Office of Civil Rights (“OCR”)characterize that action as “a clear HIPAA Privacy violation that would induce a swift OCR response,” OCR also cited Memorial Herman for failing to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information.
In addition to the $2.4 million monetary settlement, Memorial Hermann will be required to develop and implement a corrective action plan to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures. They must also provide training for its workforce members to ensure compliance with the policies and procedures. The corrective action plan also requires all Memorial Hermann facilities to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.
$2.4 million, a corrective action plan, and negative press are Memorial Hermann’s cost for a lapse in judgment that led to disclosure of the PHI of a single patient. Incidentally, the OCR’s solution to prevent further incidents - training staff and implementing sound policies. Undoubtedly, Memorial Hermann thought they had done that. It’s quite likely, just as at most clinics, they were confident that their compliance program was good enough. However, as I often heard my father say, “Good enough, isn’t.”
If you think that “good enough” isn’t good enough for your medical practice, and would like to conduct an audit of the effectiveness of your compliance with HIPAA and other health care regulations, contact Dennis Sadler, of Leitner, Williams, Dooley & Napolitan, PLLC at firstname.lastname@example.org or (901) 527-0214.