Her case shows why healthcare privacy laws exist

by Michael Hiltzik, Los Angeles Times

Of all the personal information that you might want to keep private, your medical records are the most important. That’s why federal and state laws carry stiff penalties, up to and including jail time, for healthcare providers who let such data loose into the wild.

So you should be aghast at how free and easy Prime Healthcare Services and two executives at Prime-owned Shasta Regional Medical Center have been with the medical chart of a patient named Darlene Courtois. They showed the entire chart to an editor of her hometown newspaper, and Prime’s corporate office divulged some of her medical examination results to me (though I didn’t ask for them). They didn’t have her permission for those disclosures, her daughter says.

Their justification is that Courtois implicitly waived her medical privacy by sharing a portion of her records with a different news organization. But that doesn’t wash. No matter what Courtois said or did, without her specific consent Shasta still doesn’t have the legal right to disclose her file on its own, say the experts I’ve talked to.

As I reported last week, Prime, which owns 14 California hospitals, is under investigation by state and federal authorities for submitting possibly fraudulent bills to Medicare and Medi-Cal. Here’s an instance in which its executives may have crossed the line that warrants a federal investigation.

The Courtois case begins with an article by the news organization California Watch, whose analysis of government data suggests that Prime has inflated diagnoses of Medicare and Medicaid patients to obtain excessive reimbursements.

Last month, California Watch reported that in January 2010 Courtois, 64, went to the emergency room at Shasta Regional for treatment from a fall. Shasta billed Medicare for treating Courtois for kwashiorkor, a severe malnutrition condition typically seen in famine victims. The diagnosis more than doubled the Medicare reimbursement Shasta would otherwise have received for treating Courtois, the report said.

But Courtois and her daughter Julie Schmitz told California Watch she wasn’t treated for malnutrition during her five-day stay at Shasta. In fact, she’s overweight. A 63-page file she obtained from the hospital and showed to California Watch describes her as "well-nourished" and doesn’t mention severe malnutrition, the report said.

California Watch offered its article for publication to the Redding Record Searchlight, the local newspaper for Shasta Regional. The Record, quite properly, called Shasta for a response. And that’s where things went wrong.

The Record’s editor, Silas Lyons, says two Shasta executives showed up at the newspaper with Courtois’ medical chart. They were Randall Hempling, the hospital CEO, and Dr. Marcia McCampbell, its chief medical officer. They showed Courtois’ chart to Lyons and proceeded to discuss it in detail, their goal being to prove that Courtois didn’t accurately describe her experience to California Watch. Based on that discussion, Lyon says, the newspaper decided not to run the article.

Here’s what state and federal laws have to say: A hospital can’t disclose a patient’s medical information publicly, such as to a newspaper, without the patient’s written authorization. The authorization has to be very specific, designating exactly which records may be disclosed and to whom.

The applicable laws are the federal Health Insurance Portability and Accountability Act of 1996, which is known as HIPAA, and the 2008 California Confidentiality of Medical Information Act. The covered records include any information about an individual’s "past, present or future physical or mental health or condition," and "the provision of health care to the individual." (The language comes from the federal government’s published privacy rule summary.)

There are a few limited circumstances in which a healthcare provider doesn’t need permission. Chiefly these fall into the categories of "treatment, payment and healthcare operations" ‘ in other words, charts can be seen by doctors treating the patient or insurers paying for care, or in connection with hospital functions such as evaluating doctors’ competency ‘ and regulatory activities or subpoenas.

HIPAA provides for civil penalties of up to $50,000 per violation. Deliberate breaches committed for "commercial advantage, personal gain or malicious harm" can carry criminal sanctions of up to $250,000 in fines and up to 10 years in jail. State law further gives patients the right to sue for breaches of their privacy.

Shasta could have asked Courtois for permission to make her chart public. But Schmitz, who has her mother’s medical power of attorney, told me Shasta never sought her mother’s permission and she never gave it to them.

When I asked Shasta hospital CEO Hempling whether he had Courtois’ written authorization to show her chart around, he replied that he didn’t need it. (McCampbell didn’t respond to my request for comment.)

"As far as we’re concerned, the patient gave that permission when she gave her records to California Watch and was quoted on the record," Hempling told me. "That waived her privacy."

Patient privacy experts disagree. Under the law, there’s no such thing as an implied authorization by a patient for disclosure of personal records, said Linda Ackerman, a San Francisco expert in privacy law.

The office of civil rights of the U.S. Department of Health and Human Services, which enforces HIPAA, put it this way: "There is no ‘waiver’ that would apply to the release of a chart or medical record to the media without an individual’s written authorization."

Several experts told me it doesn’t matter if the hospital was trying to contradict misinformation provided by a patient (even if that’s what Courtois did, which is debatable). Under the law, patients themselves can divulge anything they wish about their medical conditions and their treatment by a hospital. But a hospital’s obligation is to keep its mouth shut. A desire to deflect bad PR is not an excuse. Even if they think they’re in the right, the law says healthcare providers have to suffer in silence, the experts say.

Anthony Wright, executive director of the statewide patient advocacy group Health Access California, also mentioned the "chilling precedent" of a hospital company exposing a patient’s personal information just because she criticized the company in public. Indeed, the lesson of the Courtois case is clear: Give an interview about your experience at a Prime-owned hospital, and don’t be surprised if the hospital responds by exposing the most private details of your medical history to the world.

By talking to California Watch "my mom was trying to do the right thing and stand up for Medicare," Schmitz says. "Does that mean her life is an open book?"

Most HIPAA and CMIA cases involve sloppy handling of patient information. Often they result from the theft of a laptop filled with private data, or chart-snooping by low-level employees (such as the snooping into celebrity charts at UCLA that inspired the state law and got the university slapped with a federal penalty of $865,000).

No expert I reached could think of a case in which hospital executives deliberately made a patient’s chart public without written authorization, which suggests that this case is prime for investigation. "This is really out of the norm," says Mark Savage, a senior attorney at Consumers Union in San Francisco.

HIPAA rules have been drummed into the heads of medical practitioners so deeply that it’s hard to find a doctor today who doesn’t walk on eggshells where patient privacy is concerned. But rules don’t seem to have sunk in at Prime Healthcare. A corporate spokesman even emailed me an internal memo Hempling prepared bearing all sorts of details of Courtois’ condition and treatment. Yet the spokesman, Edward Barrera, insists Prime and Shasta "have acted in accordance with HIPAA and state law at all times."

The behavior of Prime and Shasta Regional should provide rich fodder for investigations by state and federal agencies and by U.S. prosecutors in Sacramento, who cover Shasta County. Dr. McCampbell holds a California medical license issued in 2005, and it would be worthwhile for the state medical board to look into her participation in this matter and determine whether it meets the standards of professional conduct required of a California licensee.

As for the rest of the bigwigs at Prime and Shasta, plainly they all need to be shipped to a reeducation camp in the rules of patient confidentiality. If, that is, they can stay out of jail.