Patient's PHI was emailed to nearly 900 company employees
Redding, Calif.-based Shasta Regional Medical Center, a Prime Healthcare Services hospital, has agreed to pay $275,000 to the Department of Health and Human Services to settle alleged HIPAA violations.
HHS' Office for Civil Rights opened a compliance review of the hospital following a January 2012 Los Angeles Times article, which detailed how two SRMC executives impermissibly disclosed a patient's protected health information to several local news outlets.
Following the investigation, OCR officials discovered that senior management at SRMC had also emailed the patient's medical condition, diagnosis and treatment data to its entire workforce, close to 900 individuals.
[See also: 10 largest HIPAA breaches of 2012.]
“When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” said OCR Director Leon Rodriguez, in a press statement. “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”
In addition to the $275,000 monetary settlement, SRMC is required to update its policies and procedures on safeguarding PHI from impermissible uses and to train its workforce members. The corrective action plan also requires fifteen Prime Healthcare Services hospitals and medical centers to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.
[See also: Stanford reports fifth big HIPAA breach.]
The California Dept. of Public Health fined Prime Healthcare Services $95,000 for HIPAA violations regarding the incident back in November. In response to the state fines, which the company has appealed, Prime Healthcare spokesperson Edward Barrera said, "Shasta Regional Medical believes that disclosures, if any, were permitted under both federal and state law," as the Los Angeles Times reported in November.
Close to 22 million people have had their protected health information compromised according to HHS. To date, OCR has collected more than $15.5 million in HIPAA enforcement fines.