Last week as California health officials announced they were fining five hospitals $675,000 because employees were caught snooping into computerized patient medical records, I thought the message was being conveyed loud and clear.
At least one state is getting very serious about instilling a culture of health information confidentiality. Under California's 18-month-old law, eight fines totaling more than $1.1 million have now been levied to just six hospitals. Two of the eight received two fines each for invasive privacy breaches, and each of those two received a maximum fine of $250,000.
With fines for the first violation levied at $25,000, and subsequent breaches costing $17,500 each, the tally can run up fast, especially if there's more than one patient whose records were breached.
Maybe California is ahead of the rest of the country with laws like these because the state has so many entertainers, whose sometimes tragic medical conditions and dramatic deaths are too tempting for providers' sometimes voyeuristic tendencies to ignore.
Farrah Fawcett, Britney Spears, Gov. Arnold Schwarzenegger and his wife Maria Shriver, George Clooney and his girlfriend, so-called "octomom" Nadya Suleman who gave birth to octuplets and even Michael Jackson postmortem, according to news reports last week, were victims of prying eyes.
But there's even more incentive now for providers to pay attention because in California, there's another law that makes illicit chart peeking extremely personal. A special agency, the Office of Health Information Integrity, has been set up to investigate those employees accused of poaching medical information, perhaps to see if they are using it for private financial gain.
Individuals may be fined $25,000 per violation, or up to $250,000. The state has already referred several healthcare workers accused of violating privacy laws to that agency for scrutiny.
Or so it would seem. Kathleen Billingsley, deputy director of the state Department of Public Health, said that when she speaks to hospital CEOs now about these violations, "each one of them has talked with me about the efforts they have put into place. How they've addressed it with these plans of correction they're going to make.
"One CEO told me today they had educated over 1,000 employees immediately upon their first violation. And I've seen a lot of extensive training, retraining and a change in culture within a hospital," she said.
During Billingsley's explanation to the news media last week, it became clear that the issue is just beginning to snowball. "We have 324 cases that are currently under investigation and 1,489 cases pending. Between Jan. 1 2009, when law became effective and May 31 of 2010, we've received 3,766 reported breaches of patient medical information from licensed facilities."
That's a lot of suspected snooping to scrutinize.
Another California law requires hospitals to self-report these breaches, and most are doing so, Billingsley hopes. But now, health providers and state regulators have something more to worry about than an unauthorized X-ray or bit of medical information showing up in a tabloid-style blog or newspaper.
Now, health officials and hospital executives have to worry about health providers taking unauthorized forays into protected files and posting the information on the ethernet via social media.
Last week, officials at a large hospital in San Diego County acknowledged that they've moved to terminate five employees and were disciplining a sixth for posting confidential information about a patient on what was reported by one news organization as a Facebook page. It's not clear what they wrote, or whether any patients were identified. Hospital officials say no photos or identifying information was involved.
I can imagine such a posting among co-working friends talking about their challenges in dealing with a patient with, say, severe mental illness or extensive decubitus ulcers or extreme morbid obesity. What if the nurses said something about how difficult or messy or unsightly the patient was to treat? I can imagine that. Providers are only human, and they sometimes call upon their darker sense of humor that just might get them through a more difficult day.
But even if the patient wasn't named, does posting information on Facebook in a general way violate confidentiality? I think it does. Most of all, it indicates a lack of respect.
Billingsley says some hospitals have installed warnings and made technological changes on computers, in effect putting any employee on notice that there are serious consequences for going into medical records without authorization. That goes for the innocently curious too, or the researcher who may have a legitimate, academic, but still unauthorized pursuit.
It also goes for those who had a legitimate reason to know about a patient's intimate medical details, however unique, grotesque, challenging, or prurient. They must realize this information must not be shared in places where unauthorized persons can see or hear it.
Billingsley says that hospital CEOs are taking these new laws, and the ethical and moral reasons behind them, very seriously.
Now, hospital employees, their friends, visiting providers, security guards, and everyone else who may have a chance encounter with a computerized medical record, or any other kind of health information about a patient, should do so too.
Note: You can sign up to receive HealthLeaders Media Community and Rural Hospital Weekly, a free weekly e-newsletter that provides news and information tailored to the specific needs of community hospitals.