A not-for-profit health care system recently agreed to pay the Department of Health and Human Services (HHS) $2.4 million as part of a settlement over potential Health Insurance Portability and Accountability Act (HIPAA) violations. The incident at issue involved the system releasing a patient’s name to the press, consumer advocacy groups, and politicians following a highly-publicized event at a clinic.

The lesson: covered entities and business associates should educate their public relations staff and leadership about what qualifies as “protected health information” (PHI) and that PHI may be disclosed only as permitted by HIPAA, regardless of whether the information is already known publicly.

Read the full article here.