The latest in 2017 HIPAA settlements comes with a $2.4 million price tag. Memorial Hermann Health System agreed to pay the multi-million dollar settlement to the U.S. Department of Health and Human Services (HHS) for releasing the name of a patient and other personal health information (PHI) in a press release.
The patient presented an allegedly fraudulent identification card to Memorial Health staff in September 2015. The staff took proper steps in alerting the appropriate authorities and the patient was arrested. However, things took a turn for the worse when Memorial Health then published a press release concerning the incident where the name of the patient was added to the title of the press release. Senior executives also improperly disclosed the patient's PHI to other groups and on its website. Along with the $2.4 million settlement, Memorial Health agreed to a corrective action plan that requires it to update its policies and procedures on safeguarding PHI from improper use and disclosers, and to train its staff. The corrective action plan also requires all 16 of Memorial Health's hospitals and specialty services to attest to their understanding of permissible uses and disclosers of PHI. More on the plan can be found on the OCR website. This marks the eighth penalty of 2017 issued by the HHS Office for Civil Rights, resulting in over $14.5 million in penalties.