Employment Law Blog - Lucky 13 - The Office of Civil Rights Enters into its 13th Corrective Action Plan


Charged with enforcing HIPAA and chided along by Congress to do a more proactive enforcement job, the Office of Civil Rights at HHS has entered into its 13th Corrective Action Plan for a covered entity. Shasta Regional Medical Center in Redding, CA was investigated for issues relating to the release of medical information to media outlets and its internal workforce without permission of the patient. Specifically, the allegations were that Randall Hempling, the CEO of Shasta, and the Chief Medical Officer, Dr. Marsha McCampbell, met with media representatives to discuss information which had been released by patient, Darlene Courtois, to California Watch alleging inappropriate billing practices.

In an attempt to refute Ms. Courtois and California Watch’s statements, Shasta sent a letter through its parent company to California Watch and the correspondence contained very specific information regarding Ms. Courtois’ medical treatment. Some three days later, the senior managers met with the Record Search Light to discuss the issues again and then on December 20, 2011, sent a letter to the Los Angeles Times. The LA Times letter again detailed Ms. Courtois’ medical treatment in an effort to dispute her allegations of inappropriate billing. In addition to these media discussions, on December 20, 2011, Shasta sent an email to its entire workforce and medical staff, somewhere between “785-900 individuals describing in detail, the affected party’s medical condition, diagnosis and treatment”, in what might be deemed a clear violation of the minimum necessary standard.

By entering into this agreement Shasta is not admitting liability for the HIPAA breaches but is required to meet a wide variety of terms and conditions including the appointment of a Compliance Representative, payment of $275,000 as a “resolution amount”, which is a fine by any other name.” Further Shasta’s charged to “develop, maintain and revise as necessary its written policies and procedures . . .”

In order to meet the requirements of HIPAA, both privacy and security, such policies and procedures have to be submitted to HHS for review and approval. Further the policies and procedures have to be distributed and assessed, updated and revised as necessary. Of particular interest in this matter is the fact that OCR was very concerned about Shasta’s failure to “sanction its workforce members pursuant to its internal sanctions policy which requires that it sanction employees for “violations of HIPAA”.

The issue of taking HIPAA violations seriously, as well as workforce sanctions, appropriate security evaluations, training and policies are all becoming critical issues for any OCR review or audit. It is not technology; it’s the people that use it.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Brown Law Firm | Attorney Advertising

Written by:


Davis Brown Law Firm on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.