California Medical Center Will Pay $275,000 to Settle Federal Patient Privacy Case

Tuesday, July 23, 2013
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Shasta Regional Medical Center in Redding, California, has agreed to pay $275,000 to settle a federal investigation concerning alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The settlement resolves allegations made by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) that the medical center shared a patient’s medical file with journalists and sent an e-mail about her medical treatment to hundreds of hospital employees. The two organizations reached an agreement on June 6, 2013.

To read the press release from the HHS Office of OCR, click here.

Shasta Regional Medical Center is owned by Prime Healthcare Services, Inc., based in Ontario, California. Prime Healthcare did not admit to any wrongdoing, according to the settlement agreement.

Medical Center Managers Accused of Intentionally and Repeatedly Violating HIPAA.

According to the Los Angeles Times, a compliance review was opened after two senior managers at Shasta Regional Medical Center met with media to respond to a previous news article that alleged the hospital was overbilling Medicare. The managers allegedly disclosed protected health information on a patient to multiple media outlets on at least three separate occasions, according to the Los Angeles Times. The OCR’s investigation also allegedly indicated that the managers shared details about the patient’s medical condition, diagnosis and treatment in an e-mail to the entire workforce, which is nearly 800 individuals.

Click here to read the entire article from the Los Angeles Times.

Shasta Regional Medical Center Must Pay Settlement and Agree to Retrain Workforce.

On top of the $275,000 settlement fine, Shasta Regional Medical Center must update its policies and procedures on safeguarding patient protected health information from impermissible uses and disclosures. Ownership group, Prime Healthcare, must retrain its workforce on this new corrective action plan at not only Shasta Regional Medical Center, but at fifteen of its other hospitals and medical centers.

To read the settlement agreement, click here.

It’s important to remember there is no such thing as implied authorization under HIPAA. A patient’s medical record cannot be disclosed by the hospital or medical center without authorization from the patient.

Deadline to Comply with Omnibus Rule is Coming.

The HHS released stronger rules and protections governing patient privacy on January 17, 2013. This omnibus rule strengthens the privacy and security protection established under HIPAA. Physicians, hospitals, clinics, health care providers and their business associates need to take into account the corrections as they work to update business associate agreements, policies, practices and training to comply with the rule changes by the September 23, 2013, deadline. To learn more on the omnibus rule changes, click here to read a previous blog.

Be Proactive-Get a HIPAA Risk Assessment.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions.  It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply don't have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.


What do you think if this alleged HIPAA violation? Do you have policies and procedures in place to protect your patients’ right to privacy? Have you received a HIPAA risk assessment lately? Please leave any thoughtful comments below.


Department of Health and Humans Services Press Office. “HHS Requires California Medical Center to Protect Patients’ Right to Privacy.” Department of Health and Humans Service. (June 13, 2013). From:

Terhune, Chad. “Prime Healthcare Settles Federal Patient-Privacy Case for $275,000.” Los Angeles Times. (June 11, 2013.). From:

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act  (HIPAA), data security, Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), corrective action plan (CAP), medical records, medical history, patient records, protected health information (PHI), HIPAA compliance audit, HIPAA compliance, Omnibus Rule, Omnibus rule compliance deadline, HIPAA risk assessment,  privacy, defense attorney, defense lawyer, HIPAA attorney, HIPAA lawyer, The Health Law Firm

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Like this blog? Add your public comments:

Items in bold indicate required information.