Employment Law Blog - Lucky 13 - The Office of Civil Rights Enters into its 13th Corrective Action Plan


Charged with enforcing HIPAA and chided along by Congress to do a more proactive enforcement job, the Office of Civil Rights at HHS has entered into its 13th Corrective Action Plan for a covered entity. Shasta Regional Medical Center in Redding, CA was investigated for issues relating to the release of medical information to media outlets and its internal workforce without permission of the patient. Specifically, the allegations were that Randall Hempling, the CEO of Shasta, and the Chief Medical Officer, Dr. Marsha McCampbell, met with media representatives to discuss information which had been released by patient, Darlene Courtois, to California Watch alleging inappropriate billing practices.

In an attempt to refute Ms. Courtois and California Watch’s statements, Shasta sent a letter through its parent company to California Watch and the correspondence contained very specific information regarding Ms. Courtois’ medical treatment. Some three days later, the senior managers met with the Record Search Light to discuss the issues again and then on December 20, 2011, sent a letter to the Los Angeles Times. The LA Times letter again detailed Ms. Courtois’ medical treatment in an effort to dispute her allegations of inappropriate billing. In addition to these media discussions, on December 20, 2011, Shasta sent an email to its entire workforce and medical staff, somewhere between “785-900 individuals describing in detail, the affected party’s medical condition, diagnosis and treatment”, in what might be deemed a clear violation of the minimum necessary standard.

By entering into this agreement Shasta is not admitting liability for the HIPAA breaches but is required to meet a wide variety of terms and conditions including the appointment of a Compliance Representative, payment of $275,000 as a “resolution amount”, which is a fine by any other name.” Further Shasta’s charged to “develop, maintain and revise as necessary its written policies and procedures . . .”

In order to meet the requirements of HIPAA, both privacy and security, such policies and procedures have to be submitted to HHS for review and approval. Further the policies and procedures have to be distributed and assessed, updated and revised as necessary. Of particular interest in this matter is the fact that OCR was very concerned about Shasta’s failure to “sanction its workforce members pursuant to its internal sanctions policy which requires that it sanction employees for “violations of HIPAA”.

The issue of taking HIPAA violations seriously, as well as workforce sanctions, appropriate security evaluations, training and policies are all becoming critical issues for any OCR review or audit. It is not technology; it’s the people that use it.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Brown Law Firm | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.