Disclosure of PHI

Disclosure of PHI was the theme for the month of May’s settlements.  OCR continued their enforcement trend for 2017 with 2 more settlements announced in May.  These stand out on their own because the focus is specific disclosure of PHI instead of major breaches.  A total of three patients were involved in these large settlements.  This week we review what transpired and what OCR found as violations of privacy for these three patients.

HIPAA For MSPs by David Sims Disclosure of PHI in May OCR settlements
00:00:00 00:00:00

In this episode:

Disclosure of PHI in May OCR settlements

Speak Engagements

Topics for today

Memorial Hermann Health System settlement

OCR statement about MHHS settlement

St. Luke’s-Roosevelt Hospital Center Inc. NYC

OCR statement about the settlement

Memorial Hermann Health System (MHHS) – TX


  • On October 13, 2015, HHS initiated a compliance review of MHHS, based on multiple media reports that suggested that MHHS disclosed a patient’s protected health information (PHI) to the media and various public officials without the patient’s authorization.
  • On September 2015, a patient at one of MHHS’s clinics presented an allegedly fraudulent identification card to office staff. The staff immediately alerted appropriate authorities of the incident, and the patient was arrested.
  • MHHS subsequently published a press release concerning the incident in which MHHS senior management approved the impermissible disclosure of the patient’s PHI by adding the patient’s name in the title of the press release.


  • Between September 15, 2015, and October I, 2015, MHHS knowingly and intentionally failed to safeguard PHI in its possession.
  • Between September 15, 2015, and September 19, 2015, MHHS impermissibly disclosed the patient’s PHI through press releases issued to fifteen media outlets and/or reporters.
  • Following the publications, MHHS’ senior leaders further disclosed the patient’s PHI during three meetings which occurred on September 17, September 21, and September 25, 2015, with an advocacy group, state representatives, and a state senator, in response to the events.
  • MHHS also disclosed the patient’s PHI in a statement on its website, between September 15, 2015, and October 1, 2015. MHHS did not obtain the patient’s written authorization to disclose the PHI.
  • MHHS failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information.


  • 2 years
  • MHHS shall develop, maintain, and revise, as necessary, its written policies and procedures. Defines minimum content that must be in them about disclosures that are acceptable. 60 days
  • Get everyone to sign that they have read them
  • Make sure there is training of the whole workforce on the P&P
  • Reportable events

    During the Compliance Term, MHHS shall, upon receiving information that a workforce member may have failed to comply with its Privacy, Security, and Breach Notification policies and procedures, promptly investigate this matter.
    If MHHS, after review and investigation, determines that a member of its workforce has failed to comply with its Privacy, Security, and Breach Notification policies and procedures, MHHS shall notify HHS in writing within thirty days. Such violations shall be known as Reportable Events

Official statement from OCR

Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.

Disclosure of PHI to the press has come up in cases before including one in Los Angeles several years back when leadership defended themselves in a lawsuit by talking to reporters.  That case also made it clear that you don’t have an implied consent to announce a name to the press unless the patient gave it do you or there are other extenuating circumstances like with law enforcement.

St. Luke’s-Roosevelt Hospital Center Inc. NYC

Institute for Advanced Medicine, formerly Spencer Cox Center for Health (the Spencer Cox Center)


  • In September 2014, the HHS Office for Civil Rights (OCR) received a complaint alleging that a staff member from the Spencer Cox Center impermissibly disclosed the complainant’s protected health information (PHI) to the complainant’s employer.
  • This impermissible disclosure included sensitive information concerning
    • HIV status,
    • medical care,
    • sexually transmitted diseases,
    • medications,
    • sexual orientation,
    • mental health diagnosis, and
    • physical abuse.
  • OCR’s subsequent investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box.
  • Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures.
  • In the previous case, they faxed a different patient’s records to an office where he volunteered


  • impermissibly disclosed PHI of two identified patients
  • failed to reasonably safeguard two identified patients’ PHI from any intentional or unintentional disclosure during faxing, resulting in an impermissible disclosure of both patients’ PHI against their expressed instructions


  • 3 years
  • Written P&P on disclosures
  • Reviewed by workforce
  • Workforce training
  • St.Luke’s shall not provide access to Pil to any member of its workforce if that workforce member has not signed or provided the written or electronic certification of training **within three (3) months of distribution of such policies and procedures** to the members of its workforce, but in any event no later than January 31, 2018.

Official OCR statement

“Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” said Roger Severino, OCR director. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards. In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”

Directory Severino hit an interesting note for us “cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI” – We JUST talked about this a few episodes ago in Are we creating a crisis of trust in healthcare?.

Disclosure of PHI is this case seemed almost negligent when you are dealing with such sensitive information.  The Center clearly had procedures in place that allowed patients to make those kinds of limitations on their information.  It is another disclosure of PHI that never should have happened if someone would take the time to seriously worry about protected health information.

As OCR continues with these settlements they have made it clear that we should all see these cases as examples of what NOT to do when protecting patient information.  Disclosure of PHI can have serious repercussions for the patients involved.  In Texas, a woman had her name mentioned over and over in the news by her provider.  In New York City, multiple patients in a trusted HIV clinic may no longer trust their information will be protected.  These are not cases that happened years ago.  These are settlements relating to cases from a couple of years ago.