Of all the personal information that you might want to keep private, your medical records are the most important. That's why federal and state laws carry stiff penalties, up to and including jail time, for healthcare providers who let such data loose into the wild.
So you should be aghast at how free and easy Prime Healthcare Services and two executives at Prime-owned Shasta Regional Medical Center have been with the medical chart of a patient named Darlene Courtois. They showed the entire chart to an editor of her hometown newspaper, and Prime's corporate office divulged some of her medical examination results to me (though I didn't ask for them). They didn't have her permission for those disclosures, her daughter says.
Their justification is that Courtois implicitly waived her medical privacy by sharing a portion of her records with a different news organization. But that doesn't wash. No matter what Courtois said or did, without her specific consent Shasta still doesn't have the legal right to disclose her file on its own, say the experts I've talked to.
As I reported last week, Prime, which owns 14 California hospitals, is under investigation by state and federal authorities for submitting possibly fraudulent bills to Medicare and Medi-Cal. Here's an instance in which its executives may have crossed the line that warrants a federal investigation.
The Courtois case begins with an article by the news organization California Watch, whose analysis of government data suggests that Prime has inflated diagnoses of Medicare and Medicaid patients to obtain excessive reimbursements.
Last month, California Watch reported that in January 2010 Courtois, 64, went to the emergency room at Shasta Regional for treatment from a fall. Shasta billed Medicare for treating Courtois for kwashiorkor, a severe malnutrition condition typically seen in famine victims. The diagnosis more than doubled the Medicare reimbursement Shasta would otherwise have received for treating Courtois, the report said.
But Courtois and her daughter Julie Schmitz told California Watch she wasn't treated for malnutrition during her five-day stay at Shasta. In fact, she's overweight. A 63-page file she obtained from the hospital and showed to California Watch describes her as "well-nourished" and doesn't mention severe malnutrition, the report said.
California Watch offered its article for publication to the Redding Record Searchlight, the local newspaper for Shasta Regional. The Record, quite properly, called Shasta for a response. And that's where things went wrong.
The Record's editor, Silas Lyons, says two Shasta executives showed up at the newspaper with Courtois' medical chart. They were Randall Hempling, the hospital CEO, and Dr. Marcia McCampbell, its chief medical officer. They showed Courtois' chart to Lyons and proceeded to discuss it in detail, their goal being to prove that Courtois didn't accurately describe her experience to California Watch. Based on that discussion, Lyon says, the newspaper decided not to run the article.
Here's what state and federal laws have to say: A hospital can't disclose a patient's medical information publicly, such as to a newspaper, without the patient's written authorization. The authorization has to be very specific, designating exactly which records may be disclosed and to whom.
The applicable laws are the federal Health Insurance Portability and Accountability Act of 1996, which is known as HIPAA, and the 2008 California Confidentiality of Medical Information Act. The covered records include any information about an individual's "past, present or future physical or mental health or condition," and "the provision of health care to the individual." (The language comes from the federal government's published privacy rule summary.)
There are a few limited circumstances in which a healthcare provider doesn't need permission. Chiefly these fall into the categories of "treatment, payment and healthcare operations" — in other words, charts can be seen by doctors treating the patient or insurers paying for care, or in connection with hospital functions such as evaluating doctors' competency — and regulatory activities or subpoenas.
HIPAA provides for civil penalties of up to $50,000 per violation. Deliberate breaches committed for "commercial advantage, personal gain or malicious harm" can carry criminal sanctions of up to $250,000 in fines and up to 10 years in jail. State law further gives patients the right to sue for breaches of their privacy.
Shasta could have asked Courtois for permission to make her chart public. But Schmitz, who has her mother's medical power of attorney, told me Shasta never sought her mother's permission and she never gave it to them.
When I asked Shasta hospital CEO Hempling whether he had Courtois' written authorization to show her chart around, he replied that he didn't need it. (McCampbell didn't respond to my request for comment.)