The Department of Health and Human Services Office for Civil Rights (OCR) investigated a record-number of alleged HIPAA violations in 2016. A recent settlement between OCR and a health system in the State of Texas reflects that OCR investigations and enforcement actions will continue at high-volume through 2017, and serves as an example of the liabilities associated with unintended (yet impermissible) disclosures prohibited under HIPAA.
On May 10, 2017, OCR revealed that Memorial Hermann Health System (Memorial Hermann) agreed to pay a settlement of $2.4 million to the Department of Health and Human Services in connection with the unauthorized disclosure of patient protected health information (PHI). According to the OCR release, a patient at Memorial Hermann provided hospital staff with a fake identification card. Upon review of the presented identification, the staff reported the patient to law enforcement and circulated a press release identifying the individual and discussing the incident. While disclosing the identity of the individual to law enforcement was a permitted disclosure under HIPAA, including the patient’s name in the press release constituted a prohibited disclosure under the law.
The case of Memorial Hermann is a reminder that providers should be well-aware of those third-party disclosures permitted under HIPAA without the prior authorization of the patient. These “exceptions” are specifically set forth in the statute, and an understanding of what is allowed can save a practice from heavy fines and negative press associated with impermissible disclosures.
- Disclosures Relating to Law Enforcement and Crime. HIPAA permits certain disclosures relating to law enforcement and crime. Permitted disclosures include:
- Responding to a law enforcement request about an incapacitated individual who is the victim of a crime;
- Alerting law enforcement of a medical emergency in connection with the commission of a crime;
- Revealing the name, address, date of birth, and similar information in connection with a law enforcement request to locate a suspect, fugitive, material witness, or missing person;
- Reporting instances of abuse, neglect, or domestic violence.
- Disclosures Relating to Public Health & Oversight. Covered entities are permitted to disclose PHI to the following in regards to public health administration and oversight:
- Public health entities authorized by law to collect population data;
- Individuals who may have been exposed to certain communicable diseases and as may be required by state or federal law;
- Government benefit program administrators requiring health information to determine program eligibility.
- Disclosures Relating to Judicial and Administrative Proceedings. HIPAA permits covered entities to disclose PHI in response to the following:
- Court orders;
- Subpoenas; and
- Discovery requests.
Providers should note that the law only allows for those disclosures specifically requested in the aforementioned orders.
The above list is by no means exhaustive, and many of the permitted disclosures discussed above include various exceptions. In addition to the restrictions set forth in HIPAA, providers should also be cognizant of various state law requirements and restrictions that may enhance the restrictions found in the federal law. Therefore, be sure to consult with counsel to determine whether a request to disclose PHI without the patient’s authorization complies with applicable HIPAA requirements.