Shasta Regional slapped with $275K HIPAA fine

Shasta Regional Medical Center (SRMC) agreed to pay $275,000 and undertake a corrective action plan after a Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigation uncovered HIPAA violations stemming from unauthorized disclosure of a patient’s personal health information.  

The HHS notified the center of a compliance review on Jan. 6, 2012--two days after a Los Angeles Times article indicated that SRMC senior leaders met with the media to discuss the medical services provided to a patient without valid written authorization, according to the resolution agreement.

The leaders had met with media to respond to allegations of Medicare fraud in a California Watch story, which had cited the SRMC’s high billing rate for kwashiorkor, which is a form of malnutrition. In that story, the patient had denied receiving treatment for kwashiorkor, and the leaders sought to explain the billing by disclosing the patient’s health record, according to a Jan. 18, 2013 California Watch article on the investigation.  

On three separate occasions, SRMC disclosed the patient's information, according to the agreement. In two cases, the leaders shared with media the patients’ medical treatment and lab results without written authorization from the patient. SRMC also sent an email to its entire workforce of approximately 785 to 900 individuals, explaining the patient’s medical condition, diagnosis and treatment.

“When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” said OCR Director Leon Rodriguez in a June 13 press release on the matter. “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”