Another HIPAA settlement was announced by the Office for Civil Rights (OCR) which details a permissible and impermissible disclosures.

In a press release dated May 10, the OCR provided details on the most recent HIPAA settlement. Memorial Herman Health Systems (MHHS) has agreed to pay the OCR $2.4 million for a situation that occurred in 2015, and is willing to adopt a corrective action plan.

MHHS is the largest not-for-profit health system in Southeast Texas with 16 hospitals and specialty programs servicing the Greater Houston area.

In September 2015, a patient at one of MHHS’s clinics provided staff with an allegedly fraudulent identification card. The staff alerted local authorities, which is an example of a permissible disclosure under HIPAA regulations. The patient was arrested by authorities.

However, the settlement comes about due to MHHS then publishing a press release concerning the incident, including the patient’s name. This is an example of an impermissible disclosure.

Per the OCR press release, MHHS senior management approved including the patient’s name in the information about the fraud incident. Additionally, MHHS failed to document the steps taken to sanction those employees in a timely manner.

MHHS will now be required to update policies and procedures on safeguarding PHI from similar incidents and ensuring that employees are trained to understand this. This includes MHHS attesting to their understanding of permissible disclosures of PHI.

OCR Director Roger Severino stated “this case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

Don’t make a $2.4 million mistake, be sure you fully understand when PHI should and should not be disclosed. To learn more about permissible and impermissible disclosures, start using our online HIPAA compliance tool today.