Memorial Hermann Health System has gotten slapped with a $2.4 million fine after being found liable for breaking HIPAA rules by releasing the name of a patient who was arrested, even though the identity became public through police records.
Memorial Hermann Health System has agreed to pay $2.4 million to the U.S. Department of Health and Human Services to settle potential violations of the Health Insurance Portability and Accountability Act, according to HHS.
In September 2015, a patient at one of Memorial Hermann's clinics presented an allegedly fraudulent identification card to office staff, according to HHS. Staff immediately alerted authorities, and the patient was arrested.
That disclosure was permitted under the HIPAA Rules, HHS said. But the Texas health system subsequently violated HIPAA by publishing a press release with the patient's name in the title of the document.
Between Sept. 15 and 19, 2015, Memorial Hermann disclosed the patient's name through press releases issued to 15 media outlets and reporters, HHS said. Senior hospital executives also disclosed the patient's protected information to an advocacy group, state representatives, a state senator, and on its website.
The patient was 44-year old Blanca Borrego, an immigrant from Mexico who was arrested at a gynecologist's office after presenting a fake ID, according to the Houston Chronicle. She had lived in the Houston area for 12 years and had no record of prior arrests, the report said.
Protestors of the incident stood outside of the medical office and said hospitals, as well as churches, should be safe zones for immigrants.
Borrego's fate since the 2015 incident is not known. At least one of her three children is reportedly an American citizen.
The resolution agreement, signed on April 20 by Memorial Hermann President and CEO Benjamin Chu, MD, agrees to pay the U.S. Department of Health and Human Services $2.4 million and to adopt a comprehensive corrective action plan.
The action plan requires MHHS to update its policies and procedures on safeguarding private information from impermissible uses and to train its workforce.
The HHS Office for Civil Rights initiated a compliance review of Memorial Hermann based on multiple media reports suggesting that it disclosed the patient's protected health information without an authorization.
"Senior management should have known that disclosing a patient's name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response," said OCR Director Roger Severino. "This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere."
Memorial Hermann is a nonprofit health system comprised of 16 hospitals and specialty services in the Greater Houston area.