I don’t know if you can hear me, but I generally groan when I read a settlement that permits the party to make no admission of guilt. The FTC permits it, and HHS also permits it. I understand why they may choose to do that, but seriously, there are some breaches that are just so egregious that they demand a finding or acknowledgement of guilt.
Since January of last year, I’ve been covering the privacy debacle that is the Prime Healthcare/Shasta Regional Medical Center case (previous coverage here, here, here, here, and here, here). To say that I consider their conduct to be one of the most obvious cases of a knowing HIPAA breach would be to put it mildly, despite the entities’ denials of any wrongdoing and repeated assertions that their conduct is permissible. Today, Chad Terhune of the Los Angeles Times reports that while they continue to appeal the state’s $95,000 penalty for the breach, they have reached a settlement with HHS over the breach:
Hospital chain Prime Healthcare Services Inc. has agreed to pay $275,000 to settle a federal investigation into alleged violations of patient privacy.
The case stemmed from allegations that Prime Healthcare and its Shasta Regional Medical Center violated patient confidentiality by sharing a woman’s medical files with journalists and sending an email about her treatment to nearly 800 hospital employees.
Last year, California regulators fined the Ontario hospital chain $95,000 for the unauthorized disclosure of medical information in this matter. The company said it’s appealing that state fine.
In the federal settlement announced Tuesday, Prime Healthcare did not admit to any wrongdoing. The company and hospital said they “firmly believe that they would have prevailed in this matter based upon the merits.” (emphasis added by me)
That statement is from their press release, where they wrote:
In reaching the agreement, SRMC admitted to no wrongdoing pertaining to the alleged violation of patient privacy. Prime Healthcare and SRMC firmly believe that they would have prevailed in this matter based upon the merits. However, in view of the unnecessary expense to both SRMC and to the taxpayers of the United States, they reached an agreement to settle the matter and pay $275,000 as a “Resolution Amount.”
Oh, they’re worried about expense to taxpayers? How considerate of them.
In light of their repeated public statements, I really really wish HHS had not settled this case. I realize that $275,000 may seem like a large fine given that it was “only” one patient whose data were intentionally disclosed, but to allow them to insist that they did nothing wrong is offensive.
Read more on the L. A. Times. As of the time of this posting, HHS has not posted any press release on its site with the settlement agreement, so I’ll have more on this later.