Memorial Hermann Faces Penalties For Possible Violations Of Patient Privacy Rule

HOUSTON, TX — Memorial Hermann Health System has agreed to adopt a correction action plan and pay a $2.4 million settlement after releasing the name of a patient and his personal health care information in press releases, on its website and during public meetings. The U.S. Department of Human Services said the disclosure violated the Health Insurance Portability and Accountability Act Privacy Rule, known as HIPAA.

The settlement came as a result of a compliance review by the Health and Human Services Office for Civil Rights, which according to the settlement released Thursday, learned that Memorial Hermann Health System released protected patient information without that patient’s authorization. Memorial Hermann released the information after the patient was arrested for presenting false identification to a hospital worker.

Memorial Hermann Hospital System serves a multi-county area along the Gulf Coast, and is the largest not-for-profit health system in southeast Texas.

The Memorial Hermann Hospital System, which employs 24,000 people, includes 13 hospitals, eight cancer centers, three heart and vascular institutes, and 27 sports medicine and rehabilitation centers within the multi-county area.

According to the settlement, the incident happened in September 2015.

The staff members who received the fake ID called police, who arrested the patient. (Want to get daily updates about news and other events going on in your area? Sign up for the free Houston Patch morning newsletter.)

Under the HIPAA rules, disclosure of the patient’s health status is allowed to law enforcement agencies. According to the investigation, the Memorial Hermann Health System violated the privacy law by releasing the patient's name and health information publicly.

Roger Severino, director for the Health and Human Services Office for Civil Rights, said Memorial Hermann officials should have understood that the information could not be made public under HIPAA rules.

“This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere,” Severino said in a statement.

Under the corrective action plan, Memorial Hermann Health Systems must thoroughly review and update their policies for safeguarding patient protected health information to ensure they comply with federal standards.

Memorial Hermann has 60 days to complete the policy update and submit the revised policies and procedures to the Department of Health and Human Services for review.

Under the corrective action plan, Memorial Hermann is required to review their policies, and provide policy updates and annual reports to the Department of Health and Human Services until 2023.

The full report can be accessed by clicking the Department of Health and Human Services link.

Image: Shutterstock

Follow Us On Facebook: Engage with your neighbors in the Metro Houston area and keep up with the talk of the day by liking one of our Facebook pages. Houston / Midtown Houston / Houston Heights / Galleria - River Oaks / Bellaire / Meyerland / Humble-Kingwood / Conroe-Montgomery County / Sugar Land / Pasadena / The Woodlands / Clear Lake