Those of us who follow HIPAA enforcement actions have become accustomed to seeing multi-million dollar settlements with HHS resulting from HIPAA privacy and security violations. Without fail, those large settlements have involved the disclosure of hundreds, or even thousands, of patient records (or in the case of health plans, participant records). This week, HHS announced a $2.4 million settlement with Memorial Hermann Health System (MHHS) for improperly disclosing the name of a single patient.
Here is what happened. A Mexican immigrant presented a fake Texas driver’s license at an MHHS clinic. Staff at the clinic reported the incident and the patient was detained and arrested. In response to protests at the clinic claiming that medical facilities should be a “safe zone” for immigrants, MHHS issued a press release to media outlets explaining its actions. The press release included the patient’s name. Apparently MHHS assumed that since the patient’s name was publicly available in police records, and her name and picture had been widely published in other media reports, it would be fine to include the name in its press release. Bad assumption.
While the disclosure of PHI to law enforcement is generally permitted, there is no exception for the disclosure of the patient’s name to the public, even for purposes of correcting the record or defending the covered entity from negative publicity. In that regard, this case is similar to the settlement reached with HHS by Shasta Regional Medical Center in 2013. In that situation, Shasta had been accused of Medicare fraud in a media report that referenced the billing for a particular patient, and had provided the patient’s PHI to the media to refute the allegation. The settlement cost Shasta $275,000.
One lesson from these cases is that HIPAA does not allow a covered entity to defend itself in the media using PHI, even if the PHI is already in the public domain and is being used against the covered entity.