If you’ve been reading my blog for a few years, you’ll likely remember the case where Shasta Regional Medical Center and Prime Healthcare Services disclosed a patient’s records to the media, claiming that because the patient had talked to the media, she had waived confidentiality. The case was initially reported in January, and I posted an update in May 2012, by which time the state had found that the hospital and Prime Healthcare Services had breached state patient confidentiality law (pdf). At that time, I wrote:
Back in January, I suggested that SRMC should probably shut up and not continue to try to defend its actions. The ruling by the state comes as no surprise to me. Nor, however, am I surprised to read that SRMC is appealing the finding.
Do I expect to see fines over this one? You betcha. A “good faith belief” only cuts you some slack, not all.
Today, Chad Terhune reports:
State officials have fined hospital chain Prime Healthcare Services Inc. $95,000 for violating patient confidentiality by sharing a woman’s medical files with journalists and sending an email about her treatment to 785 hospital employees.
The California Department of Public Health levied the fine this month after determining in May that Shasta Regional Medical Center in Redding had five deficiencies related to the unauthorized disclosure of medical information on a diabetes patient treated there in 2010.
Prime Healthcare, based in Ontario, said it had appealed the state’s findings and penalties. “Shasta Regional Medical believes that disclosures, if any, were permitted under both federal and state law,” company spokesman Edward Barrera said. “Shasta Regional Medical Center is committed to the privacy of its patients.”
Read more on the Los Angeles Times. I think $95,000 is actually pretty low considering the severity and consequences of the breaches. And I’m flabbergasted that they’re still maintaining they did nothing wrong.
But, wait. There’s more:
The state agency said it issued an additional $3,100 in fines in the case because the hospital failed to report the breach to the state and the patient in a timely manner.
Separately, the Department of Public Health fined Prime Healthcare $25,000 because a Shasta hospital employee inappropriately accessed a co-worker’s medical files in January while the person was being treated there.
The state’s report on that second breach can be found here (pdf). On a positive note, SRMC may not have prevented that breach, but they detected it fairly quickly through their own internal audits. Now if we could just work on prevention, right?
I’m waiting to see what HHS does (if it even does anything) about the release of the first patient’s data to the media and hospital employees. For my money, if I were HHS, I’d sock these folks with a really hefty fine because they still don’t seem to get that what they did was flat-out wrong.
This blog entry was corrected to reflect that the case first became public in January 2012.