California medical center settles HIPAA violation for $275,000



June 19, 2013

HIPAA Law Alert

The Office of Civil Rights continues its HIPAA enforcement efforts with a $275,000 settlement with Shasta Regional Medical Center for violations of the HIPAA Privacy Rule.

On June 13, 2013, the U.S. Department of Health and Human Services (“HHS”) settled its investigation with the Shasta Regional Medical Center (“SRMC”) of California for a sum of $275,000, and the additional requirement of implementing a comprehensive corrective action plan (“CAP”) for potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule.

The HHS Office for Civil Rights (“OCR”) reviewed SRMC’s practices after a Los Angeles Times article stated that two SRMC executives met with the media to “discuss medical services provided to a patient.” The OCR found that SRMC did not properly safeguard the patient’s protected health information (“PHI”) from December 13, 2011, through December 20, 2011, “from impermissible disclosure by intentionally disclosing PHI to multiple media outlets,” in three separate instances without the patient’s valid written authorization.

Specifically, SMRC:

  • Sent a letter to California Watch to respond to a media story about Medicare fraud, which included PHI about medical treatment and lab results.
  • Met with the Record Searchlight editor and disclosed PHI regarding the same matter.
  • Sent a letter to the Los Angeles Times, including detailed information about the treatment involved in the matter.
  • Sent an e-mail to approximately 785 to 900 of its employees, including information about the medical conditions, diagnosis, and treatment of the patient involved in the matter.
  • Failed to sanction its employees in adherence to its internal sanction policy.

In addition to the $275,000 monetary settlement, SMRC is required to implement a CAP. The CAP includes developing, maintaining, and revising all of its policies and procedures “to comply with the Federal standards that govern the privacy of individually identifiable health information,” and implementing such policies, including but not limited to “appropriate administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure”; training protocols for all employees; and an annual compliance report. The CAP also requires 15 other hospitals and medical centers under SRMC’s ownership to attest to their understanding of permissible uses and disclosures of PHI.

OCR Director Leon Rodriguez stated, “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”

This settlement is another message to the health care industry that the OCR is serious about enforcement of HIPAA violations.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top