Los Angeles Times Article Results in $275000 HIPAA Privacy Rule Fine

L.A Times has published an article which has revealed that a sequence of events has run which has now lead to in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its breaches of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The Privacy Rule forbids all covered bodies – and their staff and business associates – from releasing health information of patients to unauthorized persons. Whenever there is a possibility that regulations are not being followed the HHS Office for Civil Rights (OCR) carries out an investigation and compliance review.

The U.S. Department of Health and Human Services (HHS) was advised of potential Privacy Rule violations after two senior SRMC leaders met with the media and provided information about medical procedures performed on a specific patient. This unauthorized disclosure of the patient’s protected health data to the media was a direct breach of the Privacy Rule.

Patient consent must be received in writing before any PHI can be disclosed to a third party and this was not the case at SRMC. The OCR found that information had been intentionally provided to the media three separate times. The media disclosure exposed PHI to the largest audience, although the OCR also discovered data about the patient’s condition, diagnosis and treatment had been emailed to the entire workforce. Furthermore, employees were not cleared for disclosing this information as was stated in its internal sanctions policy.

Shasta Regional Medical Center has agreed to pay a settlement of $275,000 to the HHS for the HIPAA breaches and must put in place a corrective action strategy. The plan ensures that SRMC implements the proper controls to safeguard PHI, such as updating policies and procedures to ensure that PHI is always secure and training the staff on its obligations under the HIPAA Privacy Rule.

SRMC is only one of a number of hospitals under the same central control and all 15 of the other healthcare facilities must also confirm that the necessary training has been provided and they are aware of all HIPAA Privacy and Security Rules.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was brought in to protect the personal health information of patients, while making it easier for people to obtain copies of their medical history. HHS Office for Civil Rights director, Leon Rodriguez, has sent a clear message to all HIPAA-covered bodies advising them that the Privacy Rule will be enforced and prompt sanctions applied against healthcare organizations that do not adhere to the rules. “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior.”