Shasta Regional Medical Center in Redding, Calif., will pay a $275,000 fine and implement a corrective action plan under a resolution agreement it signed with the HHS Office for Civil Rights following violations of patient privacy.

The resolution agreement and corrective action plan covers not just Shasta Regional, but 15 other hospitals owned or operated by parent company Prime Healthcare Services, which has 23 hospitals under its banner. The hospitals also must attest to their understanding of permissible uses and disclosures of protected health information, according to OCR.

California Watch, an investigative reporting organization, was working on a story about aggressive Medicare billing practices at Shasta Regional, including frequent billing of treatment to senior citizens for kwashiorkor, which is serious malnutrition that is generally seen in children during famines. California Watch interviewed a patient billed for kwashiorkor treatment that was in the hospital for diabetes treatment and was overweight. California Watch did not identify the patient in a subsequent story, but the hospital put the pieces together and made the identification.

Hospital CEO Randall Hempling then tried to undermine California Watch’s story by sending an email to virtually every employee and physician in the hospital, up to 900 in total, that disclosed information in the patient’s medical record, the news service reported on Nov. 28. Hempling and the CMO also took the patient’s records to a local newspaper and at least two other media outlets in an attempt to dissuade the editor from publishing California Watch’s story.  Among other information, the file showed the patient had received a nutritional consultation, which justified the kwashiorkor billing, according to the news service. Medical records the patient requested did not note malnutrition. The local newspaper did not run a story, but the San Francisco Chronicle and The Orange County Register published stories.

“When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” OCR Director Leon Rodriguez said in an announcement of the agency’s actions. “Senior leadership helps defines the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”

The OCR resolution agreement is available here.

The California Department of Public Health in November 2012 issued its own verdict on Shasta’s conduct, fining the hospital $95,000 and ordering a corrective action plan that included the CEO, CMO and director of marketing to receive HIPAA training.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access