By Anna Kraus

The Department of Health and Human Services (HHS) announced on June 14 that it reached a settlement with Shasta Regional Medical Center (SRMC) in California over potential violations of the HIPAA Privacy Rule.  Under the settlement, SRMC agreed to pay $275,000 and implement a comprehensive corrective action plan (CAP).

HHS’s investigation was prompted by an article in the Los Angeles Times published in January 2012, which indicated that two of SRMC’s senior leaders met with the media to discuss the medical services provided to a particular patient without first obtaining a valid written authorization.  The investigation further revealed that:

  • SRMC impermissibly disclosed the patient’s protected health information to different media outlets on at least three occasions, without obtaining the patient’s authorization;
  • SRMC senior management sent an e-mail to the entire workforce that included details about the patient’s medical condition, diagnosis, and treatment; and
  • SRMC failed to sanction its workforce members for the impermissible disclosures pursuant to SRMC’s internal sanctions policy.

To settle the matter, SRMC (and several other health care facilities currently under the same ownership or operational control) agreed to pay $275,000 and implement a CAP. Among other things, the CAP requires SRMC to:

  • develop and distribute policies and procedures that comply with HIPAA privacy standards and address certain issues specified by HHS;
  • report violations of the policies and procedures to HSS; and
  • train workforce members on the policies and procedures.

This settlement is notable because it indicates that HHS’s enforcement activities may extend beyond a single covered entity to other covered entities under the same ownership or operational control. It also suggests that HHS will continue to use press reports as a basis for initiating investigations.