The Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) recently came to a $275,000 data breach resolution agreement with Prime Healthcare of California, but HHS said it would remain until silent Prime completed the payment. With the payment now made, OCR posted the resolution agreement yesterday and detailed the findings from its investigation.
According to the OCR press statement, it found that SRMC failed to safeguard patients’ protected health information (PHI) from impermissible disclosure by intentionally leaking PHI to multiple media outlets on at least three separate occasions without a valid written authorization. Specifically, it found Shasta Regional Medical Center (SRMC), a Prime Healthcare organization, to be negligent in these areas:
A) From December 13 – 20, 2011, SRMC failed to safeguard the Affected Party’s PHI from any impermissible intentional or unintentional disclosure on multiple occasions as described below. This failure was evidenced by the following facts:
i) On December 13, 2011, SRMC sent a letter, through its parent company, to California Watch, responding to a story concerning Medicare fraud. The letter described the Affected Party’s medical treatment and provided specifics about her lab results. SRMC did not have a written authorization from the Affected Party to disclose this information to this news outlet.
ii) On December 16, 2011, two of SRMC’s senior leaders met with The Record Searchlight’s editor to discuss the Affected Party’s medical record in detail. SRMC did not have a written authorization from the Affected Party to disclose this information to this newspaper.
iii) On December 20, 2011, SRMC sent a letter to The Los Angeles Times, which contained detailed information about the treatment the Affected Party received. SRMC did not have a written authorization from the Affected Party to disclose this information to this newspaper.
B) SRMC impermissibly used the affected party’s PHI. This failure was evidenced by the following facts:
i) On December 20, 2011, SRMC sent an email to its entire workforce and medical staff, approximately 785-900 individuals, describing, in detail, the Affected Party’s medical condition, diagnosis and treatment. SRMC did not have a written authorization from the Affected Party to share this information with SRMC’s entire workforce and medical staff.
C) SRMC has failed to sanction its workforce members pursuant to its internal sanctions policy which requires that it sanction employees for “violations of HIPAA”.
Corrective Action Plan (CAP)
SRMC agreed to the following as part of its CAP:
Policies and Procedures
SRMC shall develop, maintain and revise, as necessary, its written policies and procedures (“Policies and Procedures”) applicable to all of its facilities and subsidiaries to comply with the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”). SRMC shall also distribute such Policies and Procedures to all workforce members at all of its facilities and subsidiaries who use and disclose PHI within sixty (60) calendar days of HHS’s approval of such Policies and Procedures.
Safeguards Implementation Specifications
SRMC needs to implement instructions and procedures that address appropriate administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure (a) for media inquiries and (b) that define PHI as it relates to individually identifiable health information (IIHI).
SRMC must have protocols for training all members of SRMC’s workforce who use and disclose PHI to ensure that they know how to comply with the Policies and Procedures.
All workforce members who use or disclose PHI shall receive specific training related to the Policies and Procedures. Within ninety (90) days of the implementation of the Policies and Procedures. SRMC shall provide such training to each new member of the workforce within thirty (30) calendar days of the workforce member’s beginning as a workforce member
“When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” said OCR Director Leon Rodriguez said in the OCR press release. “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”