Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
Advisories
Healthcare

Public Still Must Be Kept Private Under HIPAA

By Glory Francke, Adam H. Greene, and Rebecca L. Williams
05.16.17
Share
Print this page

A not-for-profit health care system recently agreed to pay the Department of Health and Human Services (HHS) $2.4 million as part of a settlement over potential Health Insurance Portability and Accountability Act (HIPAA) violations. The incident at issue involved the system releasing a patient’s name to the press, consumer advocacy groups, and politicians following a highly-publicized event at a clinic. The lesson: covered entities and business associates should educate their public relations staff and leadership about what qualifies as “protected health information” (PHI) and that PHI may be disclosed only as permitted by HIPAA, regardless of whether the information is already known publicly.

(Not a) Routine Check-In

The HIPAA settlement concerned the alleged disclosure of one patient’s identity without her consent. According to various published reports, the patient in question checked in for a follow-up visit with her OB/GYN. After a staffer escorted her to an exam room, a waiting police officer handcuffed her and brought her to the county jail. The issue? A falsified driver’s license and other false identification.

During check-in, a clinic staff member thought the patient’s driver’s license looked suspicious. The office called the licensing bureau of the Texas Department of Public Safety (DPS), which instructed the office to contact local law enforcement. After confirming the false license number, local law enforcement decided to arrest the patient.
The clinic complied with HIPAA up to this point: HIPAA’s privacy rule allows providers to report PHI —which would include driver's license information—if it is believed to be evidence of a crime that occurred on the entity’s premises.

But the arrest sparked protests and criticism. The patient was an undocumented immigrant, but she had health insurance under her husband’s private plan. Her crying, eight-year-old US-born daughter witnessed the arrest. Immigrant advocates questioned whether the arrest would have a chilling effect on other undocumented immigrants seeking medical care.

What Went Wrong under HIPAA
 
The health care system responded to its critics with a press release, calling the incident “unfortunate” and citing “quality and safety reasons” for the procedure that led to calling the DPS. The press release also named the patient.

About two-months later, HHS initiated a compliance review of the health care system based on multiple media reports indicating it disclosed the patient's PHI to the media and various public officials without the patient’s authorization. According to the resolution agreement, the health system appeared to be responsible for the following:

  1. Knowingly and intentionally failing to safeguard PHI in its possession.
  2. Impermissibly disclosing the patient’s PHI through press releases, meetings with an advocacy group, state representatives, and a state senator, and by posting a statement on its website.
  3. Failure to document the sanctions it imposed on employees who failed to comply with the system’s privacy policy and HIPAA.

Key Takeaways

This case provides the following HIPAA compliance lessons:

  • If you think it might be PHI, it probably is: train your staff – including those in public affairs, government relations, and leadership – that HHS can interpret PHI broadly to include any information that identifies someone as a patient. When in doubt, leave the information out.  
  • Public knowledge is no excuse: Even if someone (such as the media) knows an individual was a patient, a provider cannot release additional PHI or even confirm that the individual was a patient without a valid basis under HIPAA.
  • HIPAA protects everyone: HIPAA protects every patient’s PHI regardless of immigration status or potentially criminal acts, even if the act was committed on the covered entity’s premises.
  • Follow-up is critical: The failure to take disciplinary action against personnel who did not follow policy may have accounted for a significant portion of the settlement amount (possibly more than the disclosures themselves). This highlights the importance of applying some sort of sanction any time there is a potential HIPAA violation. This can be retraining or a warning, so long as consistent with your sanctions policy.

Related Articles

2025
Feature
Financial Services
New Administration Outlook: Helping You Navigate Post-Election Uncertainty in 2025 and Beyond Read More External Link
03.25.25
Publications
Artificial Intelligence
Co-author, "Privacy Law Issues for Developers and Deployers of Generative Artificial Intelligence," LexisNexis Read More External Link
02.27.25
Webinars
Privacy & Security
"Securing Americans' Sensitive Data: Understanding the DOJ's New Final Rule," Davis Wright Tremaine Webinar Read More
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO

SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.