Memorial Hermann Health System will pay the HHS $2.4 million to settle allegations that it disclosed protected patient information without authorization.
The 16-hospital not-for-profit system violated HIPAA by using a patient's name in a September 2015 news release about an incident involving an allegedly fraudulent ID card. The patient had provided Memorial Hermann clinic staff with the ID card and was subsequently arrested. Although HIPAA allows providers to give law enforcement a patient's protected health information, using the patient's name in the news release and in subsequent discussions with lawmakers and advocacy groups about the incident violates the law.
The Houston-based health system punished the employees who released the information but failed to document the punishment in a timely manner, HHS said in its resolution agreement.
Memorial Hermann will also undertake a corrective action plan and revise how it safeguards protected health information and training employees.
HHS' Office for Civil Rights received 17,643 HIPAA privacy rule complaints in 2015, but it has only investigated 1,089 of those.
"This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA," said HHS Office for Civil Rights director Roger Severino in a statement, "but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere."
HIPAA privacy rule complaints have risen between 2003 and 2015, the years for which data are available, except for a slight dip between 2014 and 2015.