Los Angeles Times Article Results in $275000 HIPAA Privacy Rule Fine

An article published in the L.A Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The Privacy Rule forbids all covered entities – and their employees and business associates – from disclosing health information of patients to unauthorized persons. Whenever there is suspicion that regulations are not being followed the HHS Office for Civil Rights (OCR) conducts an investigation and compliance review.

The U.S. Department of Health and Human Services (HHS) was tipped off to potential Privacy Rule violations after two senior SRMC leaders met with the media and provided details of medical procedures performed on a specific patient. This unauthorized disclosure of the patient’s protected health information to the media was a direct violation of the Privacy Rule.

Patient consent must be obtained in writing before any PHI can be disclosed to a third party and this was not the case at SRMC. The OCR discovered that information had been intentionally provided to the media on three separate occasions. The media disclosure exposed PHI to the greatest audience, although the OCR also discovered information about the patient’s condition, diagnosis and treatment had been emailed to the entire staff. Furthermore, employees were not sanctioned for disclosing this information as was stated in its internal sanctions policy.

Shasta Regional Medical Center has agreed to pay a settlement of $275,000 to the HHS for the HIPAA violations and must implement a corrective action plan. The plan ensures that SRMC implements the appropriate controls to protect PHI, such as updating policies and procedures to ensure that PHI is always protected and training the staff on its obligations under the HIPAA Privacy Rule.

SRMC is only one of a number of hospitals under the same operational control and all 15 of the other healthcare facilities must also confirm that training has been provided and they are aware of all HIPAA Privacy and Security Rules.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was introduced to protect the personal health information of patients, while making it easier for patients to obtain copies of their medical records. HHS Office for Civil Rights director, Leon Rodriguez, has sent a clear message to all HIPAA-covered entities advising them that the Privacy Rule will be enforced and prompt action taken against healthcare organizations that do not abide by the rules. “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.