Memorial Hermann announced today that it has mailed notification letters to 12,061 Memorial Hermann employee group health plan (EGHP) members related to a privacy incident. The incident involves the disclosure of protected health information (PHI) to select primary care physicians (PCP) and is limited to the member’s demographic information only; no medical information was disclosed.
On May 16, 2016, a Memorial Hermann employee reported a potential improper use of her PHI to the Memorial Hermann Privacy Office. The employee received a letter from a PCP regarding the need for an annual physical. However, the employee had no prior relationship with the PCP or the PCP’s physician group.
Upon further investigation, it was determined that the PCP received the employee’s PHI, along with that of her dependents, from MHMD, the Memorial Hermann Physician Network. MHMD received that information from Memorial Hermann Health Solutions (Health Solutions). Among other activities, Health Solutions administers the EGHP.
The Health Solutions team generated enrollment files for the EGHP, including insured employees, and their spouses and dependents, if any. Based upon the member’s mailing address, each member was assigned by Health Solutions to a PCP who participated in the EGHP network and practiced within the member’s zip code. The member’s enrollment file was then provided to the assigned PCP by MHMD. The enrollment file that was the source of the current complaint was generated by Health Solutions on December 12, 2015.
As best as Memorial Hermann can determine and based on its comprehensive investigation of this incident, the physician assignment process was tied to an EGHP incentive that was discontinued as of July 1, 2014. Through claims and data analysis, Memorial Hermann determined that Health Solutions, via MHMD, delivered enrollment files to a PCP assigned by Health Solutions for 12,061 individual EGHP members. Those members either already had an established relationship with a PCP other than the PCP assigned by Health Solutions, or there was no justification to deliver the PHI to the PCP assigned by Health Solutions.
The PHI disclosed to the PCP was limited to demographic information only and included: the member’s ID, the member’s full name, the member’s phone number, the member’s date of birth, and the member’s last known mailing address. No member clinical or diagnostic information was disclosed to the assigned PCP.
Memorial Hermann advised, by separate notice, each EGHP member who may have been affected. Memorial Hermann has also requested that all assigned PCPs who received print-outs of the enrollment files from MHMD return or certify destruction of those print-outs.
Memorial Hermann has no reason to believe that any EGHP member’s information has been seriously compromised or that any member needs to take any additional steps to protect him or herself from future harm based upon the PCP assignment. The content of the enrollment files that was disclosed to the assigned PCP was limited to demographic data. Further, the recipients of the enrollment files were PCPs who are otherwise professionally obligated to protect the confidentiality of their patients or prospective patient information.
Please call the Memorial Hermann Privacy Office at 713-338-6921 or 1-800-621-4249, or email the Privacy Office at email@example.com, if you have any questions or to request additional information. You may also mail your requests to: Memorial Hermann Health System, 909 Frostwood, Suite 2.205, Houston, TX 77024, Attn: Privacy Officer
At Memorial Hermann, protecting and securing patient information is of the utmost importance. As such, Health Solutions no longer assigns a PCP to EGHP members. Memorial Hermann provides privacy training for all employees, and continuously reviews its privacy policies and practices in an effort to prevent something like this from happening in the future.