$275,000 Settlement in HIPAA Privacy CasePrime Healthcare Settles with HHS
Prime Healthcare Services, a 23-hospital system based in California, has agreed to pay $275,000 as part of a federal resolution agreement in a HIPAA privacy case at one of its hospitals.
See Also: Data Center Security Study - The Results
The agreement stems from a December 2011 incident that involved officials at Shasta Regional Medical Center in Redding, Calif., discussing details of a patient's medical record and treatment with several media outlets without the individual's permission, according to the Department of Health and Human Services' Office for Civil Rights. In addition, hospital officials sent an e-mail to hundreds of its employees discussing details of that patient's medical records, according to the resolution agreement OCR released on June 14.
The hospital made the disclosures when responding to an article that appeared in one media outlet about alleged Medicare overbilling, which featured and named one of its patients.
According to the resolution agreement, Prime Healthcare Services sent a letter to a publication in response to a story about Medicare fraud. "The letter described the [patient's] medical treatment and provided specifics about her lab results. Shasta did not have a written authorization from the [patient] to disclose this information to this news outlet," the agreement states.
The agreement also describes the hospital's subsequent disclosures about the patient to other media outlets, as well as the e-mail hospital officials sent to its workforce.
"Shasta Regional has failed to sanction its workforce members pursuant to its internal sanctions policy, which requires that it sanction employees for violations of HIPAA," the agreement also notes.
Besides the monetary payment, the resolution agreement includes a corrective action plan that requires the hospital to update its HIPAA policies and procedures and provide HIPAA training to its staff.
The corrective action plan says the hospital's procedures and policies must address appropriate administrative, technical and physical safeguards to protect PHI. That includes protecting PHI from any "intentional or unintentional use or disclosure and for media inquiries."
In a statement, Prime Healthcare Services notes that the hospital, in the resolution agreement, does not admit any wrongdoing regarding violations of patient privacy.
"Prime Healthcare and Shasta Regional firmly believe they would have prevailed in this matter based upon the merits," according to the statement. "In view of the unnecessary expense to both Shasta and to the taxpayers of the United States," the company and OCR reached an agreement to settle the matter, the statement notes.
Last year, the state of California fined Shasta Regional Medical Center $95,000 for alleged privacy violations in the same case, which Prime Healthcare is appealing.
Many healthcare organizations lack awareness of what data is considered protected health information under the HIPAA Privacy Rule, as this case appears to illustrate, says privacy and security consultant Kate Borten of The Marblehead Group.
"Unfortunately, too many healthcare organizations today are still mistaken about what constitutes PHI," Borten says. "I often read policies and training content that [mistakenly] define PHI through a list of direct identifiers, suggesting that without them, information can't be PHI."
Hospitals often fail to carefully examine how patients' identities often can be revealed through their demographic, medical diagnoses and treatment information, even it they're names aren't disclosed, she points out.
Ramping Up Enforcement
OCR has been ramping up HIPAA enforcement in recent months. The financial penalties in some recent cases include:
- A $400,000 penalty in May against Idaho State University's Pocatello Family Medicine Clinic in a case involving a disabled server that exposed data of 17,500 patients;
- A $1.5 million penalty in September 2012 against Massachusetts Eye and Ear Infirmary related to the theft of an unencrypted laptop; and
- A $1.7 million penalty in June 2012 against the Alaska Department of Health and Social Services in a case involving a small breach that led to an OCR investigation uncovering a number of HIPAA compliance deficiencies.