Unlawful Disclosure of PHI Reminds Us of Importance to Train Staff

The $275,000 settlement concerning potential HIPAA violations between Shasta Regional Medical Center (SRMC) in Redding, Calif., and the Office for Civil Rights (OCR) originated when senior management impermissibly shared details about a patient's medical condition, diagnosis, and treatment in an email to the entire workforce.

OCR opened its compliance review following a Los Angeles Times article that indicated two SRMC senior leaders had met with media to discuss medical services provided to a patient. Shasta failed to safeguard the patient's PHI from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization.

"When senior-level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior," OCR Director Leon Rodriguez said in the HIPAA privacy and security enforcer's release. "Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients' rights are fully protected."

Prime Healthcare of Ontario, Calif., which owns Shasta, said in a press release the medical center admits to no wrongdoing pertaining to the alleged violation of patient privacy.

"Prime Healthcare and SRMC firmly believe that they would have prevailed in this matter based upon the merits," according to the release. "However, in view of the unnecessary expense to both SRMC and to the taxpayers of the United States, they reached an agreement to settle the matter."

Many healthcare organizations lack awareness of what data is considered protected health information under the HIPAA Privacy Rule.

"Unfortunately, too many healthcare organizations today are still mistaken about what constitutes PHI," says Kate Borten of the Marblehead Group. Many healthcare organizations lack awareness of what data is considered protected health information under the HIPAA Privacy Rule, as this case appears to illustrate.

Hospitals often fail to carefully examine how patients' identities often can be revealed through their demographic, medical diagnoses, and treatment information, even if their names aren't disclosed.

Largest Settlements to Date

The OCR's largest settlements for HIPAA violations include:

  • CVS Caremark Co.: $2.25 million, February 2009
  • Alaska Medicaid: $1.7 million, June 2012
  • Blue Cross Blue Shield of Tennessee: $1.5 million, March 2012
  • MEEI: $1.5 million, September 2012
  • Rite Aid: $1 million, July 2010
  • Massachusetts General Hospital: $1 million, February 2011
  • The University of California at Los Angeles Health System: $865,500, July 2011
  • Idaho State University: $400,000, May 2013
  • Shasta Regional Medical Center: $275,000, June 2013