Health Insurance Portability and Accountability Act enforcement continues

On June 13 2013 the Department of Health and Human Services announced that Shasta Regional Medical Centre (SRMC) had agreed to pay $275,000 and enter into a one-year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act Privacy Rule. The settlement relates to allegations that SRMC intentionally and without permission disclosed a patient's protected health information to media sources and its entire workforce.⁽¹⁾

The Department of Health and Human Services Office for Civil Rights (OCR) initiated a compliance review of SRMC after the Los Angeles Times published an article indicating that two SRMC executives provided media outlets with detailed information about a patient's medical condition without the patient's written authorisation. During its investigation, OCR discovered that SRMC had also emailed details of the patient's medical condition, diagnosis and treatment to its workforce of approximately 785 to 900 individuals. As a result of these findings, OCR determined that SRMC had:

• failed to safeguard the patient's protected health information from impermissible disclosure;
• impermissibly used the patient's protected health information; and
• failed to discipline the employees who made the disclosures pursuant to its internal punitive policy.

"When senior level executives intentionally and repeatedly violate [the Health Insurance Portability and Accountability Act] by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior," said OCR Director Leon Rodriguez. In addition to the settlement amount, the corrective action plan requires SRMC to:

• revise and distribute its policies and procedures on safeguarding protected health information;
• obtain compliance certifications from its workforce;
• conduct protected health information-related training for employees; and
• report any violations of these policies to the Department of Health and Human Services.

The corrective action plan also requires 15 hospitals and medical centres under the same ownership or operational control to attest that they understand that:

• protected health information is protected by the Privacy Rule even if such information is already in the public domain or even though it has been disclosed by the individual; and
• disclosures of protected health information in response to media inquiries are permissible only pursuant to a signed Health Insurance Portability and Accountability Act authorisation.

Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enforcement of the Health Insurance Portability and Accountability Act has been on the rise. There have been 11 settlements and one case involving the imposition of civil monetary penalties since the passage of HITECH, in comparison to only two settlements in the years preceding the HITECH amendments. Covered entities and business associates should bear in mind these enforcement activities and take precautions to reduce impermissible or unauthorised uses or disclosures of protected health information in violation of the Health Insurance Portability and Accountability Act Privacy and Security Rules.

For further information on this topic please contact Anna Spencer at Sidley Austin LLP's Washington DC office by telephone (+1 202 736 8600), fax (+1 202 736 8711) or email ([email protected]). Alternatively, please contact Meena Datta at Sidley Austin LLP's Chicago office by telephone (+1 312 853 7000), fax (+1 312 853 7036) or email ([email protected]).

Endnotes

(1) The full text of the Department of Health and Human Services Resolution Agreement is available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.