The California Department of Public Health has fined Redding-based Shasta Regional Medical Center $95,000 for violating the confidentiality of an individual patient.

The medical center disputes the findings of the department, but agreed to a corrective action plan that includes HIPAA training for the CEO, chief medical officer and director of marketing, according to a department report of findings and the plan.

California Watch, an investigative reporting organization, was working on a story about

aggressive Medicare billing practices at Shasta Regional, including frequent billing of treatment to senior citizens for kwashiorkor, which is serious malnutrition that is generally seen in children during famines.California Watch interviewed a patient billed for kwashiorkor treatment that was in the hospital for diabetes treatment and was overweight.

California Watch did not identify the patient in subsequent story, but the hospital put the pieces together and made the identification.

Hospital CEO Randall Hempling then tried to undermine California Watch’s story by sending an email to virtually every employee in the hospital, about 785, that disclosed information in the patient’s medical record, the news service reported on Nov. 28. Hempling and the CMO also took the patient’s records to a local newspaper in a successful attempt to dissuade the editor from publishing California Watch’s story. Among other information, the file showed the patient had received a nutritional consultation, which justified the kwashiorkor billing, according to the news service. Medical records the patient requested did not note malnutrition. The story did run in the San Francisco Chronicle and The Orange County Register.

Shasta Regional Medical Center referred requests from Health Data Management for comment to parent company Prime Healthcare Services, which did not respond. A Prime spokesperson told California Watch that the company believes it did nothing wrong and disclosures, if any, were permitted under federal and state law.

The Department of Public Health also fined Shasta Regional another $25,000 for a separate privacy violation incident involving a snooping employee, since terminated, that happened in February 2010.

http://www.healthdatamanagement.com/news/hipaa-privacy-security-breach-violation-fine-shasta-45298-1.html