Texas Health System Agrees to Pay $2.4 Million Settlement for Alleged HIPAA Violations

Memorial Hermann Health System (MHHS), a not-for-profit health system based in Houston, Texas, has entered into a resolution agreement with the Department of Health and Human Services, Office of Civil Rights, to pay $2.4 million for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In 2015, MHHS reported a patient to appropriate authorities for use of a fraudulent identification card. Although this was a permitted disclosure under HIPAA, MHHS impermissibly disclosed protected health information (PHI) by issuing press releases with the patient’s name, disclosing PHI in meetings with the media and public officials and in a statement on their website. In addition to the payment, MHHS agreed to a corrective action plan that requires MHHS to update its policies and procedures and appropriately train staff regarding disclosure of PHI.

This matter illustrates that a health care entity may properly cooperate with law enforcement, but must remain vigilant to not disclose PHI in impermissible ways.