Patient Crimes and Press Releases: Recent HIPAA Settlement Highlights Management Pitfalls Patient Crimes and Press Releases: Recent HIPAA Settlement Highlights Management Pitfalls

Patient Crimes and Press Releases: Recent HIPAA Settlement Highlights Management Pitfalls

On May 10, 2017, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Memorial Hermann Health System (MHHS), a not-for-profit health system located in Southeast Texas. MHHS agreed to pay $2.4 million and enter a corrective action plan (CAP) to settle claims that it improperly disclosed a patient’s protected health information (PHI) without authorization. While several issues converged in the underlying fact pattern, OCR’s primary message is clear: covered entities (CE) and business associates (BA) should continue to focus on workforce training at all levels—including senior management—and should not lose sight of Privacy Rule basics.
 
In September 2015, a patient presented a fraudulent identification card at one of MHHS’ clinics. Staff notified law enforcement, and the patient was arrested. In its announcement of the settlement, OCR was quick to point out that this disclosure to law enforcement was permitted under the Privacy Rule. The CE’s troubles began, however, when senior management approved a press release regarding the incident that included the patient’s name in its title. The situation was compounded by the fact that MHHS did not timely document its sanctioning of the workforce members responsible for the impermissible disclosure. OCR initiated a compliance review based on multiple media reports suggesting that the covered entity disclosed PHI to the media and “various public officials” without the patient’s authorization.
 
OCR’s investigation indicated that MHHS engaged in the following conduct:
 
  • Knowingly and intentionally failed to safeguard PHI in its possession;
  • Failed to timely document the sanctions imposed against workforce members who failed to comply with its privacy policies and procedures and the Privacy Rule; and
  • Disclosed the patient’s PHI, without obtaining the patient’s written authorization (in violation of 45 CFR § 164.502(a)):
    • Through press releases issued to fifteen (15) media outlets and/or reporters;
    • Via senior leadership, in three meetings with an advocacy group, state representatives, and a state senator; and
    • In a statement on its website, during a two-week period.
In addition to paying the multimillion dollar resolution amount, MHHS agreed to enter a two -year CAP that requires it to devise, implement, and distribute to workforce members OCR-approved policies and procedures addressing important Privacy Rule foundational elements, including: (1) uses and disclosures for which an authorization is required (such as disclosures to the media, to public officials, and on the internet); (2) disclosures for law enforcement purposes; (3) uses and disclosures for health oversight activities; and (4) the application and documentation of appropriate sanctions against workforce members, “including senior management,” who fail to comply with the Privacy Rule, Security Rule, Breach Notification Rule, or the CE’s own privacy and security policies and procedures (including a description of the sanctions, the timeframe for application and documentation, the manner of documentation, and where the CE will store or retain the documentation). 

Commenting on the settlement, OCR Director Roger Severino admonished: “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce swift OCR response. This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”
 
Analysis
 
Law enforcement disclosures were part of the underlying MHHS fact pattern, but when and how to make them is not the most important lesson to be learned from this settlement. CEs and BAs should remember that the Privacy Rule does not create inordinate barriers to disclosing PHI in situations where it is vital to ensuring public safety. OCR has issued guidance on disclosures to law enforcement, which emphasizes that “[t]he Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue.” The disclosure MMHS made to law enforcement was, apparently, something it did correctly.
 
The more troubling aspects are twofold: the CE’s “clear” (that is, “elemental”) failure to adhere to the Privacy Rule and the fact that this failure occurred at the senior management level. What message can we take away from this settlement? Train, train, and train—on the basics of HIPAA Rule compliance—at all organizational levels.
 
OCR has addressed the senior management issue before. In June 2013, OCR announced a settlement with Shasta Regional Medical Center that required the CE to pay a $275,000 resolution amount and enter into a CAP. The agency had opened a compliance review after a newspaper article indicated that two senior leaders at the CE had met with media to discuss medical services provided to a patient. OCR’s investigation revealed that the CE failed to safeguard the patient's PHI on multiple occasions, including when: it sent a letter to a media outlet responding to a story about Medicare fraud; it described the patient’s medical treatment and specifics about her lab results; two senior leaders met with a media editor to discuss the patient’s medical record in detail; and it sent a letter to a media outlet containing detailed information about the patient’s treatment. OCR also found that the CE failed to sanction workforce members (i.e., senior leaders and others) according to its internal policies.
 
Commenting on that settlement, former OCR Director Leon Rodriguez emphasized: “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”
 
Clearly, the C-suite will not get a pass from OCR. As former Director Rodriguez’s comments make clear, privacy violations committed by senior management are likely to engender quite the opposite result: swift and sure enforcement. A CE’s workforce members act on its behalf to safeguard the confidentiality, integrity, and availability of PHI, and workforce non-compliance can expose the CE to liability. Senior management, like the rest of the workforce, must comply with the Privacy Rule when using and disclosing the entity’s PHI and, like the rest of the workforce, must be appropriately educated, trained, and sanctioned for violating the HIPAA Rules or the CE’s privacy policies. In fact, OCR may construe a HIPAA violation committed by senior leadership (individuals who should have “known better”) as signaling the CE’s organizational disregard for compliance with the HIPAA Rules. Accordingly, noncompliance at the senior management level may demonstrate that the CE acted with “willful neglect,” which may result in OCR assessing a greater civil money penalty or proposing a higher settlement amount than it would otherwise.[1] 
 
As the Privacy Rule’s administrative requirements state:

A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by [the Privacy Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.[2]
 
Must all C-suite members sit through a day-long (or longer) “soup-to-nuts” HIPAA training? Yes, if that level of granularity is “necessary and appropriate” to enable them to carry out their functions. If a member of senior management does not regularly use or disclose PHI, or only uses or discloses PHI in certain situations, the CE or BA will likely make best use of time and resources by tailoring his or her training specifically to those situations. But all workforce members at a CE or BA should be able to recognize PHI, understand the scope and function of the Privacy Rule, and the general rules for uses and disclosures, and—perhaps most importantly —know how to reach out to its compliance officers, legal counsel, and even OCR for further guidance and support. In other words, even if the C-suite does not regularly use or disclose PHI, each and every member should be an adroit issue-spotter and understand when to seek help with HIPPA Rule compliance.
 
Just as OCR will not excuse senior management from compliance, it will not excuse the CE for failing to sanction executives for their violations. The Privacy Rule states that a CE “must have and apply appropriate sanctions” against workforce members who fail to comply with the Privacy Rule or the organization’s policies and procedures.[3] Two key provisions are “apply” and “appropriate.” On one hand, it is not enough to merely document (“have”) a sanctions policy, the CE must also enforce (“apply”) it and enforce it uniformly regardless of the violator’s position at the organization. On the other hand, not every violation is or should be a terminable event. Rather, sanctions should be “appropriate” to the circumstances of the offense. Depending on the facts, appropriate sanctions may include re-training, a verbal reprimand, reassignment, written warnings … or termination. The Privacy Rule does not prescribe the type of sanction that a CE should apply for a particular violation, but OCR expects CEs to document a sanctions policy and follow it methodically when violations occur. The important MHHS takeaway is that no one at the CE is exempt from the Privacy Rule sanctions requirement or from compliance with the entity’s related policies and procedures.
 
Conclusion
 
The MHHS settlement goes beyond admonishing senior management; it also speaks to the importance of understanding the foundational elements of Privacy Rule compliance. Regulated entities should not dismiss as hyperbole Director Severino’s strong language when describing the MHHS settlement: i.e., what senior leaders “should have known,” the “clear” Privacy Rule violation, and OCR’s “swift” response. OCR does not appear to have viewed the decision that got the CE into trouble (whether to disclose the patient’s name in a press release) as particularly complicated: “clear[ly],” this should not have occurred. In fact, the arguably more complex decision of whether to disclose the patient’s identity to law enforcement was apparently made correctly. This sends a clear message that regulated entities should not become so mired in the “zebras” that they forget about the “horses.” Now is a good time for CEs and BAs to reassess their workforce’s foundational knowledge of HIPAA compliance and respond accordingly.

If you have quesions about HIPAA compliance, contact Kim Metzger, Deepali Doddi, or another member of our HIPAA Privacy and Security Practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


[1] 45 C.F.R. § 164.401 (defining “willful neglect” as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”). 
[2] 45 C.F.R. § 164.530(b)(1) (emphasis added).
[3] 45 C.F.R. § 164.530(e)(1).  Note that the HIPAA Security and Breach Notification Rules also include requirements for appropriately sanctioning workforce members.

View Full Site View Mobile Optimized