$275,000 Settlement in HIPAA Privacy Case

Prime Healthcare Settles with HHS
$275,000 Settlement in HIPAA Privacy Case

Prime Healthcare Services, a 23-hospital system based in California, has agreed to pay $275,000 as part of a federal resolution agreement in a HIPAA privacy case at one of its hospitals.

See Also: Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

The agreement stems from a December 2011 incident that involved officials at Shasta Regional Medical Center in Redding, Calif., discussing details of a patient's medical record and treatment with several media outlets without the individual's permission, according to the Department of Health and Human Services' Office for Civil Rights. In addition, hospital officials sent an e-mail to hundreds of its employees discussing details of that patient's medical records, according to the resolution agreement OCR released on June 14.

The hospital made the disclosures when responding to an article that appeared in one media outlet about alleged Medicare overbilling, which featured and named one of its patients.

According to the resolution agreement, Prime Healthcare Services sent a letter to a publication in response to a story about Medicare fraud. "The letter described the [patient's] medical treatment and provided specifics about her lab results. Shasta did not have a written authorization from the [patient] to disclose this information to this news outlet," the agreement states.

The agreement also describes the hospital's subsequent disclosures about the patient to other media outlets, as well as the e-mail hospital officials sent to its workforce.

"Shasta Regional has failed to sanction its workforce members pursuant to its internal sanctions policy, which requires that it sanction employees for violations of HIPAA," the agreement also notes.

Besides the monetary payment, the resolution agreement includes a corrective action plan that requires the hospital to update its HIPAA policies and procedures and provide HIPAA training to its staff.

The corrective action plan says the hospital's procedures and policies must address appropriate administrative, technical and physical safeguards to protect PHI. That includes protecting PHI from any "intentional or unintentional use or disclosure and for media inquiries."

No Admissions

In a statement, Prime Healthcare Services notes that the hospital, in the resolution agreement, does not admit any wrongdoing regarding violations of patient privacy.

"Prime Healthcare and Shasta Regional firmly believe they would have prevailed in this matter based upon the merits," according to the statement. "In view of the unnecessary expense to both Shasta and to the taxpayers of the United States," the company and OCR reached an agreement to settle the matter, the statement notes.

Last year, the state of California fined Shasta Regional Medical Center $95,000 for alleged privacy violations in the same case, which Prime Healthcare is appealing.

PHI Confusion

Many healthcare organizations lack awareness of what data is considered protected health information under the HIPAA Privacy Rule, as this case appears to illustrate, says privacy and security consultant Kate Borten of The Marblehead Group.

"Unfortunately, too many healthcare organizations today are still mistaken about what constitutes PHI," Borten says. "I often read policies and training content that [mistakenly] define PHI through a list of direct identifiers, suggesting that without them, information can't be PHI."

Hospitals often fail to carefully examine how patients' identities often can be revealed through their demographic, medical diagnoses and treatment information, even it they're names aren't disclosed, she points out.

Ramping Up Enforcement

OCR has been ramping up HIPAA enforcement in recent months. The financial penalties in some recent cases include:

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.