Shasta Regional Medical Center Pays $275,000, Enters into Corrective Action Plan to Resolve Alleged HIPAA Privacy Rule Violations Stemming from Disclosures to the Media

more+
less-

Shasta Regional Medical Center (Shasta) has agreed to pay $275,000 and enter into a corrective action plan (CAP) with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to resolve allegations that it improperly disclosed a patient’s protected health information (PHI) to the media, and impermissibly used the patient’s PHI in a mass e-mail sent by Shasta senior leadership to its workforce members without a valid, written authorization.  OCR initiated an investigation of Shasta on January 6, 2012 – just two days after publication of an article in the Los Angeles Times (LA Times) reporting that several of Shasta’s senior leaders had met with the media to discuss medical services provided to a patient without authorization. 

According to OCR’s investigation, Shasta engaged in conduct in December 2011 demonstrating that it had failed to safeguard the patient’s PHI.  Specifically, Shasta sent a letter via its parent company, Prime Healthcare Services, to California Watch, an investigative reporting outlet focused on California issues, in response to a story regarding alleged Medicare fraud.  The letter described the patient’s treatment and provided specific information about her laboratory test results in an effort to discredit the story.  In addition, Shasta leaders met with editors of The Record Searchlight, a local Redding, California, newspaper, to discuss the patient’s medical record in detail.  Subsequently, Shasta sent a letter to the LA Times containing detailed information about the patient’s medical treatment, and, that same day, sent an e-mail to its entire workforce and medical staff describing the patient’s medical condition and treatment.

Under the CAP, Shasta must update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and must train its workforce members.  In addition, fifteen other facilities under the same ownership or operational control as Shasta must attest to their understanding of permissible uses and disclosures, including disclosures to the media.  Shasta did not admit to any liability under the Resolution Agreement.  For a copy of the OCR press release, please click here.  For a copy of the Resolution Agreement and CAP, please click here

Reporter, Kerrie S. Howze, Atlanta, +1 404 572 3594, khowze@kslaw.com.

Topics:  Corrective Actions, Disclosure, HHS, Media, OCR, Penalties, PHI

Published In: Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »