After a series of unfortunate events, the Memorial Hermann Health System in Texas has been fined $2.4 million for various HIPAA violations stemming from a patient’s use of a fraudulent driver’s license in 2015. The event gained great attention from both the media and immigrant rights activists as the patient was an undocumented immigrant.
MHHS staff reported the use of the ID, which led to the patient’s arrest. The disclosure of the patient’s personal information to law enforcement officials was allowed by Federal law. However, when Memorial Hermann included the patient’s information in press releases and shared it during meetings with activists, state representatives, and a state senator following the events they were violating HIPAA law. This is because the patient never authorized MHHS to use their name in any publications or discussion.
The Health and Human Services Office for Civil Rights also later found that Memorial Hermann failed to document the sanctioning of staff that disclosed the patient’s information in a timely manner. As a result of the HIPAA violations MHHS was fined $2.4 million and must enter a 2-year corrective action plan. Some corrective steps include the requirement of all MHHS facilities to attest to their understanding of permissible uses and disclosures of patient data, including the use of patient data in the media, and internal policy changes to prevent possible violations.
The patient’s name was included in the title of the circulated press release, which was a clear breach of the HIPAA privacy rule and should have been prevented by administration. MHHS is required to keep all patient information protected and private. Healthcare organizations must not underestimate the importance of training staff members in the correct adherence to HIPAA laws and the how to best manage HIPAA violations. Having safeguards in place to protect patient data and to educate their staff of proper protocols can also benefit organization in the event of potential breach.