Last week a regional California medical center entered a $275,000 settlement for disclosing patient information to the media, spotlighting HIPAA’s tight reign over covered health providers even when they try to defend their reputations against fraud allegations. On June 13, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new settlement with Shasta Regional Medical Center (“SRMC”) related to the medical center’s use and disclosure of protected health information while attempting to rebut media reports of alleged Medicare fraud. The settlement includes a one-year corrective action plan covering 16 facilities and serves as a sharp reminder that under HIPAA, a covered entity often cannot use or disclose protected health information to respond to allegations without patient authorization, even if the information is publicly known or disclosed by a patient.

The settlement stems from a 2011 media report alleging Medicare fraud. In response, SRMC allegedly disclosed protected health information to substantiate that it provided and billed for appropriate medical services. Senior leadership also allegedly sent an e-mail to its entire workforce and medical staff of 785 to 900 persons detailing the patient’s medical information in response to the media attention. According to the resolution agreement, SRMC also allegedly failed to sanction any employees for HIPAA violations related to the incident.

Of note, the resulting corrective action plan is one year, rather than the standard three years in most OCR settlements, and does not require external monitoring but applies to all 16 health care providers under common ownership or control.

Health care providers are in a very tough position when responding to allegations involving patient care or patient complaints. There is no express HIPAA permission for publicly responding to media reports or patient complaints. Accordingly, no matter what a patient or others allege about a covered entity, the covered entity may not be able to use or disclose protected health information to respond. In fact, a provider merely confirming that a patient received any services may raise HIPAA compliance issues. The same is true for social media and Internet ratings websites, where dissatisfied patients can cause substantial reputational harm with the covered entity having limited opportunity to respond under HIPAA.

Accordingly, covered entities should consider training appropriate staff on the limits of responding to media requests and public patient complaints. In most instances, a covered entity may not be able to respond with anything more than “no comment” or “HIPAA limits our ability to respond to these allegations.” The health care provider also should consider whether it can respond without using or disclosing patient information. If a matter reaches the courts, HIPAA provides the covered entity more flexibility to respond to the allegations through the court proceeding.