HHS Settlement for $2.4 Million Highlights HIPAA Compliance Requirements

On May 10, 2017, HHS issued a press release announcing a settlement with Memorial Hermann Health System (MHHS) for $2.4 million based on the impermissible disclosure of a patient’s protected health information (PHI). The announcement is significant because MHHS is a not-for-profit health system located in Texas, comprised of 16 hospitals and specialty services.

The specifics of the situation, which involve an HHS compliance review of MHHS based on multiple media reports suggesting that MHHS disclosed a patient’s PHI without an authorization, may be reviewed in the press release and resolution agreement issued by HHS. This settlement should serve as a reminder that all covered entities, including employers who self-insure their group health plans, must have sufficient policies and procedures in place to comply with the federal standards that govern the privacy and security of individually identifiable health information.

The covered entity in this situation cooperated with law enforcement without violating HIPAA, but did not continue to protect patient privacy when making statements to the public and elsewhere. MHHS also failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information. In addition to the settlement, HHS will also require MHHS to comply with a corrective action plan going forward to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.

HHS Press Release »
Resolution Agreement »
More Information »