Another Painful Lesson in Patient Privacy
By David Briggs
A southern California case should put all health care providers on notice that they need to ensure patient privacy at all times. However, as Shasta Regional Medical Center (“SRMC”) learned, that may mean that you have to take a tie one hand behind your back in the middle of a PR fight.
In June, HHS’s Office of Civil Rights (“OCR”) announced that SRMC agreed to a $275,000 fine and to a corrective action plan aimed at updating policies and providing training for its staff. Unlike many of OCR’s fines, which typically involve the breach of privacy of hundreds of patients, this case involved the breach of one patient’s PHI.
The case stems from an incident that occurred in January 2012 when the Los Angeles Times ran a story about an SRMC patient who claimed that SRMC billed her for services that she never received. SRMC denied the patient’s allegations and took the patient’s medical file to several media outlets to show that the patient received the services in question.
Also in response to the LA Times’ story, SRMC also sent an email to its workforce indicating that the patient was treated by SRMC and that she had received the services in question.
OCR investigated the disclosure of the patient’s PHI. While SRMC admitted that it did not have a signed release from the patient (as is required prior to the release of a patient’s PHI), SRMC argued that it should be allowed to disclose that information because the patient had publically raised the issue and SRMC’s response was as a reasonable rebuttal of a damaging public story. Of course, OCR disagreed that SRMC’s disclosure of patient PHI fell into a “gray” area of patient privacy.
Notably, OCR not only focused on the disclosure of the patient’s PHI to the press, but it also focused on SRMC’s internal PR campaign. The penalties imposed on SRMC were based, in part, on the fact that of SRMC’s entire workforce did not need to know about the patient’s personal health information or billing history.
In addition to the fine and requirement to correct its policies and procedures, OCR required that SRMC submit those new policies and procedures to OCR for review and approval and to provide OCR with annual reports on its compliance. While the penalty certainly was not light, SRMC was able to avoid even stricter sanctions that would have imposed an outside monitor and site inspections.
Providers can learn a number of lessons from SRMC:
- Providers cannot use PHI, even if the patient has already spoken about the medical condition publically;
- OCR investigates all breaches of at least 500 individuals. However, in some cases, OCR will also investigate cases involving smaller breaches where there is good cause to do so; and
- Not every employee needs to be a privacy officer, but everyone needs to be trained on your policies and procedures and when to spot issues that should be addressed by your privacy officer.
Contact David Briggs at Saalfeld Griggs for more information about getting your policies and procedures up to date, and about getting your workforce additional training on these issues.