$275,000 Settlement in HIPAA Privacy Case

Prime Healthcare Settles with HHS

By , June 17, 2013.
$275,000 Settlement in HIPAA Privacy Case

Prime Healthcare Services, a 23-hospital system based in California, has agreed to pay $275,000 as part of a federal resolution agreement in a HIPAA privacy case at one of its hospitals.

See Also: Healthcare - The New Cybercrime Target: How to Secure Your Data and Ensure HIPAA Compliance

The agreement stems from a December 2011 incident that involved officials at Shasta Regional Medical Center in Redding, Calif., discussing details of a patient's medical record and treatment with several media outlets without the individual's permission, according to the Department of Health and Human Services' Office for Civil Rights. In addition, hospital officials sent an e-mail to hundreds of its employees discussing details of that patient's medical records, according to the resolution agreement OCR released on June 14.

The hospital made the disclosures when responding to an article that appeared in one media outlet about alleged Medicare overbilling, which featured and named one of its patients.

According to the resolution agreement, Prime Healthcare Services sent a letter to a publication in response to a story about Medicare fraud. "The letter described the [patient's] medical treatment and provided specifics about her lab results. Shasta did not have a written authorization from the [patient] to disclose this information to this news outlet," the agreement states.

The agreement also describes the hospital's subsequent disclosures about the patient to other media outlets, as well as the e-mail hospital officials sent to its workforce.

"Shasta Regional has failed to sanction its workforce members pursuant to its internal sanctions policy, which requires that it sanction employees for violations of HIPAA," the agreement also notes.

Besides the monetary payment, the resolution agreement includes a corrective action plan that requires the hospital to update its HIPAA policies and procedures and provide HIPAA training to its staff.

The corrective action plan says the hospital's procedures and policies must address appropriate administrative, technical and physical safeguards to protect PHI. That includes protecting PHI from any "intentional or unintentional use or disclosure and for media inquiries."

No Admissions

In a statement, Prime Healthcare Services notes that the hospital, in the resolution agreement, does not admit any wrongdoing regarding violations of patient privacy.

"Prime Healthcare and Shasta Regional firmly believe they would have prevailed in this matter based upon the merits," according to the statement. "In view of the unnecessary expense to both Shasta and to the taxpayers of the United States," the company and OCR reached an agreement to settle the matter, the statement notes.

Last year, the state of California fined Shasta Regional Medical Center $95,000 for alleged privacy violations in the same case, which Prime Healthcare is appealing.

PHI Confusion

Many healthcare organizations lack awareness of what data is considered protected health information under the HIPAA Privacy Rule, as this case appears to illustrate, says privacy and security consultant Kate Borten of The Marblehead Group.

"Unfortunately, too many healthcare organizations today are still mistaken about what constitutes PHI," Borten says. "I often read policies and training content that [mistakenly] define PHI through a list of direct identifiers, suggesting that without them, information can't be PHI."

Hospitals often fail to carefully examine how patients' identities often can be revealed through their demographic, medical diagnoses and treatment information, even it they're names aren't disclosed, she points out.

Ramping Up Enforcement

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Obama Sees Need for Encryption Backdoor

President Obama says he sees the need for law enforcement to gain access to terrorists' encrypted...

Latest Tweets and Mentions

ARTICLE Obama Sees Need for Encryption Backdoor

President Obama says he sees the need for law enforcement to gain access to terrorists' encrypted...

The ISMG Network