The U.S. Department of Health and Human Services (“HHS”) announced on June 13, 2013 that Shasta Regional Medical Center (“SRMC”) has agreed to pay $275,000 and enter into a one-year corrective action plan (“CAP”) to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The settlement relates to allegations that SRMC intentionally and without permission disclosed a patient’s protected health information (“PHI”) to media sources and SRMC’s entire workforce.
The HHS Office for Civil Rights (“OCR”) initiated a compliance review of SRMC after the Los Angeles Times published an article indicating that two SRMC executives provided media outlets with detailed information about a patient’s medical condition without the patient’s written authorization. During its investigation, OCR discovered that SRMC had also emailed details of the patient’s medical condition, diagnosis and treatment to its workforce of approximately 785-900 individuals. As a result of these findings, OCR determined that SRMC failed to safeguard the patient’s PHI from impermissible disclosure, impermissibly used the patient’s PHI, and failed to discipline the employees who made the disclosures pursuant to its internal sanctions policy.
“When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” said OCR Director Leon Rodriguez. In addition to the settlement amount, the CAP requires SRMC to revise and distribute its policies and procedures on safeguarding PHI, obtain compliance certifications from its workforce, conduct PHI-related training for employees, and report any violations of these policies to HHS. The CAP also requires fifteen hospitals and medical centers under the same ownership or operational control to attest that they understand that (a) PHI is protected by the Privacy Rule even if such information is already in the public domain or even though it has been disclosed by the individual, and (b) disclosures of PHI in response to media inquiries are only permissible pursuant to a signed HIPAA authorization.
Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enforcement of HIPAA has been on the rise. There have been eleven settlements and one case involving the imposition of civil monetary penalties since the passage of HITECH, in comparison to only two settlements in the years preceding the HITECH amendments. Covered Entities and Business Associates should bear in mind these enforcement activities and take precautions to reduce impermissible or unauthorized uses or disclosures of Protected Health Information in violation of the HIPAA Privacy and Security Rules.
The full text of the HHS Resolution Agreement is currently available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf