A recent settlement agreement is a good reminder of the protections federal law can apply to protected health information (PHI) by a covered entity.
A Resolution Agreement with Shasta Regional Medical Center (SRMC) announced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights reminds us that PHI is still protected even when disclosed or publicly available. Shasta operates several different facilities and was found to have violated HIPAA when discussing a potential fraud case with the media and internal communications. They agreed to pay a $275,000 fine and submit to a Resolution Agreement.
Among other things, the Resolution Agreement requires that each of the related facilities for Shasta Regional Medical Center sign off on the following:
-
- Affidavit. The CEO and Privacy Officer of each facility listed in Appendix B, shall submit an affidavit to OCR, through the Compliance Representative, stating that they understand that (a) an individual’s protected health information (“PHI”) is protected by Privacy Rule even if such information is already in the public domain or even though it has been disclosed by the individual; and (b) disclosures of PHI in response to media inquiries are only permissible pursuant to a signed HIPAA authorization. Each facility will ensure that all members of their respective workforce are informed of this policy.
- Affidavit. The CEO and Privacy Officer of each facility listed in Appendix B, shall submit an affidavit to OCR, through the Compliance Representative, stating that they understand that (a) an individual’s protected health information (“PHI”) is protected by Privacy Rule even if such information is already in the public domain or even though it has been disclosed by the individual; and (b) disclosures of PHI in response to media inquiries are only permissible pursuant to a signed HIPAA authorization. Each facility will ensure that all members of their respective workforce are informed of this policy.