Charged with enforcing HIPAA and chided along by Congress to do a more proactive enforcement job, the Office of Civil Rights at HHS has entered into its 13th Corrective Action Plan for a covered entity. Shasta Regional Medical Center in Redding, CA was investigated for issues relating to the release of medical information to media outlets and its internal workforce without permission of the patient. Specifically, the allegations were that Randall Hempling, the CEO of Shasta, and the Chief Medical Officer, Dr. Marsha McCampbell, met with media representatives to discuss information which had been released by patient, Darlene Courtois, to California Watch alleging inappropriate billing practices.
In an attempt to refute Ms. Courtois and California Watch’s statements, Shasta sent a letter through its parent company to California Watch and the correspondence contained very specific information regarding Ms. Courtois’ medical treatment. Some three days later, the senior managers met with the Record Search Light to discuss the issues again and then on December 20, 2011, sent a letter to the Los Angeles Times. The LA Times letter again detailed Ms. Courtois’ medical treatment in an effort to dispute her allegations of inappropriate billing. In addition to these media discussions, on December 20, 2011, Shasta sent an email to its entire workforce and medical staff, somewhere between “785-900 individuals describing in detail, the affected party’s medical condition, diagnosis and treatment”, in what might be deemed a clear violation of the minimum necessary standard.
By entering into this agreement Shasta is not admitting liability for the HIPAA breaches but is required to meet a wide variety of terms and conditions including the appointment of a Compliance Representative, payment of $275,000 as a “resolution amount”, which is a fine by any other name.” Further Shasta’s charged to “develop, maintain and revise as necessary its written policies and procedures . . .”
In order to meet the requirements of HIPAA, both privacy and security, such policies and procedures have to be submitted to HHS for review and approval. Further the policies and procedures have to be distributed and assessed, updated and revised as necessary. Of particular interest in this matter is the fact that OCR was very concerned about Shasta’s failure to “sanction its workforce members pursuant to its internal sanctions policy which requires that it sanction employees for “violations of HIPAA”.
The issue of taking HIPAA violations seriously, as well as workforce sanctions, appropriate security evaluations, training and policies are all becoming critical issues for any OCR review or audit. It is not technology; it’s the people that use it.