Remember the case of a patient whose PHI was disclosed to media by Shasta Regional Center and Prime Healthcare? If you don’t, just search this site for “Prime Healthcare,” and you’ll find a slew of coverage, including a $95,000 fine by California and a $275,000 settlement with OCR after they stubbornly insisted they had not violated HIPAA. This week, Prime Healthcare and Shasta Regional Center issued a press release concerning the civil suit filed by the patient: Prime Healthcare Services and Shasta Regional Medical Center announced today that a Superior Court jury vindicated the facility and its executives in a civil patient privacy case orchestrated by the SEIU-UHW as part of its corporate campaign against Prime Healthcare. The case regarded an alleged violation of patient privacy rights at Shasta Regional Medical Center. The plaintiff had previously divulged her own medical records to the media, which printed and broadcast the information. The plaintiff’s daughter testified that a reporter showed up at a union meeting she attended with her mother and asked whether anyone wanted to share their medical information from Shasta Regional. At the behest of the union, the plaintiff agreed. Prime Healthcare and Shasta Regional accurately contended that by this agreement, the patient had implicitly waived her privacy rights by giving the information to the media, which publicized it in newspapers across California and on television. A later review of the plaintiff’s medical records indicated that Shasta Regional personnel followed all state and federal guidelines related to patient care. “A jury reviewed the facts and concluded that there was no public disclosure of private information, no violation of the plaintiff’s privacy rights and no harm to the patient by any of the executives, hospital, or Prime Healthcare,” said Troy Schell, general counsel. “This was part of SEIU-UHW’s malicious corporate campaign against the company and hospital. It’s a travesty that the union continues to focus on lies and corporate campaigns, wasting millions of dollars, rather than what is best for healthcare and communities. Prime Healthcare and Shasta Regional Medical Center remains committed to protecting patient rights, providing the highest quality of patient care and serving the community.” That “vindication” has nothing to do with they violated HIPAA, of course, as there’s no private cause of action under HIPAA, even though we now have one case where HIPAA was used as the standard of care in deciding a privacy lawsuit. So to repeat, lest Prime Healthcare and Shasta Regional continue with their b.s.: A patient can choose to divulge their information to the media. That does not given the covered entity the right to disclose their information under HIPAA. It really was – and is – a no-brainer, which is why although they may claim vindication, both the state and federal government pursued charges against them. Without the transcript of the jury trial, it’s hard to know how the jury could possibly conclude that there was no violation of privacy when both the state and federal government had already determined that not only was there a violation, but the entities’ conduct was so severe that it warranted prosecution and/or a monetary penalty. Can a state revoke a facility’s license if they willfully violate HIPAA and then continue to insist they’ve done nothing wrong? Probably not, but it’s a thought.
In a press release issued yesterday and posted today, HHS writes: Shasta Regional Medical Center (SRMC) has agreed to a comprehensive corrective action plan to settle a U.S. Department of Health and Human Services (HHS) investigation concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The HHS Office for Civil Rights (OCR) opened a compliance review of SRMC following a Los Angeles Times article which indicated two SRMC senior leaders had met with media to discuss medical services provided to a patient. OCR’s investigation indicated that SRMC failed to safeguard the patient’s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review indicated that senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce. In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy. “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” said OCR Director Leon Rodriguez. “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.” In addition to a $275,000 monetary settlement, a corrective action plan (CAP) requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media. The Resolution Agreement can be found on the OCR website at:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf
I don’t know if you can hear me, but I generally groan when I read a settlement that permits the party to make no admission of guilt. The FTC permits it, and HHS also permits it. I understand why they may choose to do that, but seriously, there are some breaches that are just so egregious that they demand a finding or acknowledgement of guilt. Since January of last year, I’ve been covering the privacy debacle that is the Prime Healthcare/Shasta Regional Medical Center case (previous coverage here, here, here, here, and here, here). To say that I consider their conduct to be one of the most obvious cases of a knowing HIPAA breach would be to put it mildly, despite the entities’ denials of any wrongdoing and repeated assertions that their conduct is permissible. Today, Chad Terhune of the Los Angeles Times reports that while they continue to appeal the state’s $95,000 penalty for the breach, they have reached a settlement with HHS over the breach: Hospital chain Prime Healthcare Services Inc. has agreed to pay $275,000 to settle a federal investigation into alleged violations of patient privacy. The case stemmed from allegations that Prime Healthcare and its Shasta Regional Medical Center violated patient confidentiality by sharing a woman’s medical files with journalists and sending an email about her treatment to nearly 800 hospital employees. Last year, California regulators fined the Ontario hospital chain $95,000 for the unauthorized disclosure of medical information in this matter. The company said it’s appealing that state fine. In the federal settlement announced Tuesday, Prime Healthcare did not admit to any wrongdoing. The company and hospital said they “firmly believe that they would have prevailed in this matter based upon the merits.” (emphasis added by me) That statement is from their press release, where they wrote: In reaching the agreement, SRMC admitted to no wrongdoing pertaining to the alleged violation of patient privacy. Prime Healthcare and SRMC firmly believe that they would have prevailed in this matter based upon the merits. However, in view of the unnecessary expense to both SRMC and to the taxpayers of the United States, they reached an agreement to settle the matter and pay $275,000 as a “Resolution Amount.” Oh, they’re worried about expense to taxpayers? How considerate of them. In light of their repeated public statements, I really really wish HHS had not settled this case. I realize that $275,000 may seem like a large fine given that it was “only” one patient whose data were intentionally disclosed, but to allow them to insist that they did nothing wrong is offensive. Read more on the L. A. Times. As of the time of this posting, HHS has not posted any press release on its site with the settlement agreement, so I’ll have more on this later.
When the CEO of Prime Healthcare and Shasta Regional Medical Center disclosed patient records in trying to defend themselves against a media report, I immediately noted that without the patient’s consent, they could not do that. Despite what was so obvious to most of us, they defended their disclosure, claiming that the patient had waived her privacy rights by sharing her information with the media. My blog post, “Prime Healthcare defends its disclosure of patient records – are they begging for a federal and state prosecution or what?” provides my analysis and response to their defense. The state Department of Public Health investigated and found that they had, indeed, violated HIPAA. In November, Prime and Shasta were fined $95,000 by the state for breaching patient confidentiality. Amazingly to some of us, Prime still insisted it had done nothing wrong and stated its intent to appeal the fine. To date, it is not clear what, if anything, HHS has done about this case, but I wouldn’t be surprised if they, too, fine Shasta and Prime. I think it’s almost incumbent on them to do so, actually, as Prime’s repeated denials of wrongdoing need a very public and highly publicized smackdown to make sure that no one else does what Prime and Shasta did. To add to their legal woes, the patient, Darlene Courtois, has filed a civil suit against Prime Healthcare in Shasta County Superior Court over the breach. California Watchdog has the story. If Prime is smart, they’ll settle this case instead of trying to defend it. If this ever gets to a jury trial, I suspect a jury would come down with a huge award to the plaintiff to send a message that it is not okay for hospitals or systems to just share a patient’s records with the media or staff not involved in their care. But then, Prime hasn’t been particularly smart about this case since the get-go, it seems, so maybe I’ll just go grab some popcorn and wait to see what happens next.
If you’ve been reading my blog for a few years, you’ll likely remember the case where Shasta Regional Medical Center and Prime Healthcare Services disclosed a patient’s records to the media, claiming that because the patient had talked to the media, she had waived confidentiality. The case was initially reported in January, and I posted an update in May 2012, by which time the state had found that the hospital and Prime Healthcare Services had breached state patient confidentiality law (pdf). At that time, I wrote: Back in January, I suggested that SRMC should probably shut up and not continue to try to defend its actions. The ruling by the state comes as no surprise to me. Nor, however, am I surprised to read that SRMC is appealing the finding. Do I expect to see fines over this one? You betcha. A “good faith belief” only cuts you some slack, not all. Today, Chad Terhune reports: State officials have fined hospital chain Prime Healthcare Services Inc. $95,000 for violating patient confidentiality by sharing a woman’s medical files with journalists and sending an email about her treatment to 785 hospital employees. The California Department of Public Health levied the fine this month after determining in May that Shasta Regional Medical Center in Redding had five deficiencies related to the unauthorized disclosure of medical information on a diabetes patient treated there in 2010. Prime Healthcare, based in Ontario, said it had appealed the state’s findings and penalties. “Shasta Regional Medical believes that disclosures, if any, were permitted under both federal and state law,” company spokesman Edward Barrera said. “Shasta Regional Medical Center is committed to the privacy of its patients.” Read more on the Los Angeles Times. I think $95,000 is actually pretty low considering the severity and consequences of the breaches. And I’m flabbergasted that they’re still maintaining they did nothing wrong. But, wait. There’s more: The state agency said it issued an additional $3,100 in fines in the case because the hospital failed to report the breach to the state and the patient in a timely manner. Separately, the Department of Public Health fined Prime Healthcare $25,000 because a Shasta hospital employee inappropriately accessed a co-worker’s medical files in January while the person was being treated there. The state’s report on that second breach can be found here (pdf). On a positive note, SRMC may not have prevented that breach, but they detected it fairly quickly through their own internal audits. Now if we could just work on prevention, right? I’m waiting to see what HHS does (if it even does anything) about the release of the first patient’s data to the media and hospital employees. For my money, if I were HHS, I’d sock these folks with a really hefty fine because they still don’t seem to get that what they did was flat-out wrong. This blog entry was corrected to reflect that the case first became public in January 2012.