HHS Continues to Sanction Health Care Entities for HIPAA Violations

posted in: Blog | 0

On June 13, 2013, the U.S. Department of Health and Human Services (HHS) announced the results of an investigation of a California hospital that illustrates the disastrous snowball effect a wrongful disclosure of protected health information can have on a health care entity.

HHS said this week that California based Shasta Regional Medical Center (SRMC) has agreed to a comprehensive corrective action plan to settle an HHS investigation concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The HHS Office for Civil Rights (OCR) opened a compliance review after a Los Angeles Times article indicated that two SRMC senior leaders had met with media to discuss medical services provided to a patient.

In December 2011, the California Watch news organization interviewed a Medicare patient that was treated at SRMC after she was hurt in a fall.  However, the article explained that SRMC billed Medicare for treating the patient for kwashiorkor, a dangerous form of malnutrition typically seen in famine victims.  Interestingly enough, the article stated that in the patient’s 63 page medical file, there was no mention of kwashiorkor, protein malnutrition, or any indication that she had been seen by a nutritionist or treated for malnutrition.  Rather, her medical record described her as “well developed and well nourished.”  SRMC’s reimbursement from Medicare was increased by more than $6,700 by adding treatment for kwashiorkor to the bill.  SRMC provided a written response to California Watch, which detailed the patient’s medical treatment and provided specifics about her lab results, without a valid written authorization.

California Watch offered its article for publication in the local newspaper, The Record Searchlight.  When the Record Searchlight contacted SRMC for a response, the SRMC CEO and CMO fatefully appeared with the patient’s medical record and proceeded to discuss it in detail with the newspaper’s editor, arguing that the patient did not accurately describe her experience to California Watch.  These disclosures were done without a valid written authorization required by HIPAA.  The local newspaper decided not to run the article based on that discussion, but the Los Angeles Times showed interest and published an article in early January 2012.

Before the Los Angeles Times article went to print, SRMC sent a letter to the Los Angeles Times which contained detailed information about the treatment of the patient.  In an apparent effort at damage control, SRMC also sent an email to its entire workforce and medical staff (about 785-900 individuals) describing the patient’s medical condition, diagnosis, and treatment.  Again, SRMC failed to obtain a HIPAA-required valid written authorization from the patient.

On January 4, 2012, the Los Angeles Times article explained that when the CEO was asked whether he had the patient’s written authorization to disclose information within her chart, he responded that he did not need it.  Furthermore, the article stated that the CEO claimed, “As far as we’re concerned, the patient gave that permission when she gave her records to California Watch and was quoted on the record.  That waived her privacy.”  SRMC also published a press release on January 4, 2012, claiming the same, “…that the patient had waived her HIPAA rights and that in fact, she wanted her medical information to be disclosed and examined.”

Two days later, on January 6, 2012, OCR notified SRMC that it was initiating a compliance review to determine whether there was a failure to comply with the requirements of the HIPAA Privacy Rule.

As a result of that investigation, OCR found that:

  • SRMC failed to safeguard the patient’s protected health information from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid authorization.
  • Senior SRMC management impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.
  • SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

In addition to the $275,000 monetary settlement, the corrective action plan requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members, among other requirements.  Unfortunately, the reputational harm that SRMC has suffered as a result of this debacle is unlikely to dissipate anytime soon.

TAKEAWAY

As this recent example of HIPAA enforcement clearly indicates, it is important to remember four things:

1)      Patients do not waive their privacy rights by speaking to others about their medical conditions.

2)      Periodically review HIPAA policies and procedures to ensure that they are up to date.

3)      Revise and adopt new policies and procedures where necessary (e.g. responding to medical inquiries from parties other than the patient or her designee.)

4)      Communicate these policies to your workforce through employee training.

At The Bittinger Law Firm, we are happy to offer guidance on HIPAA policies and procedures while tailoring HIPAA Manuals to meet the unique needs of covered entities.  Additionally, we can provide employees with HIPAA training on the latest modifications to the Privacy and Security Rule.

 

HHS Press Release:

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement-press-release.html

 

HHS Resolution Agreement: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf

 

Los Angeles Times Articles

http://articles.latimes.com/print/2012/jan/04/business/la-fi-hiltzik-20120104

 

SRMC Press Release

https://s3.amazonaws.com/s3.documentcloud.org/documents/282360/col-reddy-hipaa-prime-response.pdf