HHS OCR announced today its second resolution agreement of 2013.  Shasta Regional Medical Center (SRMC) has agreed to pay $275,000 and enter into a comprehensive corrective action plan (CAP) to settle an investigation opened by HHS following a Los Angeles Times column identifying two SRMC leaders who met with media to discuss medical services provided to a patient.  The CEO and CMO revealed the patient’s full chart to the patient’s hometown newspaper, Redding Record Searchlight, and revealed the patient’s medical exam results to the Los Angeles Times.  The two SRMC leaders disclosed the patient’s information in response to a California Watch article regarding the federal and state investigations of Prime Healthcare, SRMC’s owner, for fraudulent billing under Medicare and Medi-Cal.  Senior management at  SRMC also disclosed the patient’s information to the entire SRMC workforce. 

Specifically, OCR’s investigation indicated that:

  • SRMC failed to safeguard the patient’s PHI from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions without a valid written authorization from the patient;
  • Senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis, and treatment in an e-mail to the entire workforce; and
  • SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy. 

In addition to the settlement amount, SRMC agreed to a corrective action plan (CAP) that includes a one year period of compliance obligations.  Specifically, the CAP requires SRMC to revise its policies and procedures to attain the following:

  • Provide guidance and procedures on appropriate administrative, technical, and physical safeguards to protect PHI from intentional or unintentional use or disclosure for (i) media inquiries and (ii) that define PHI as it relates to individually identifiable health information;
  • Train SRMC workforce members who use and disclose PHI to ensure that they know how to comply with SRMC’s revised policies and procedures;
  • Provide guidance and procedures that address permissible and impermissible uses and disclosures of PHI (i) for media inquiries, (ii) workforce members who are not involved in an individual’s care, and (iii) that define PHI as it relates to individually identifiable health information;
  • Apply sanctions against SRMC workforce members who fail to comply with SRMC’s revised policies and procedures; and
  • Provide guidance and procedures regarding (i) what is individually identifiable health information and PHI, including what is required for PHI to be unidentified; (ii) communicating with, and respond to, media, including in regarding to patient-related inquiries, and (iii) sharing of patient PHI within SRMC, including sharing of patient PHI with SRMC workforce members not involved in the provision of or payment of care.

In addition, 15 hospitals and medical centers in California, Nevada, Pennsylvania, and Texas under the same ownership and operational control as SRMC must submit affidavits attesting to their understanding of restrictions on uses and disclosures related to media inquiries. 

SRMC’s resolution agreement, OCR’s fourteenth resolution agreement to date since 2008, brings OCR’s civil monetary penalty total to $15.2M.  The SRMC resolution agreement falls within the two types of action/inaction categorized by Director Rodriguez in May 2013 as ending up in an OCR monetary enforcement scenario:  (1) an ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) an unforgivable disclosure.