Prying Eyes May Cost Hospitals Millions

Last week as California health officials announced they were fining five hospitals $675,000 because employees were caught snooping into computerized patient medical records, I thought the message was being conveyed loud and clear.

At least one state is getting very serious about instilling a culture of health information confidentiality. Under California's 18-month-old law, eight fines totaling more than $1.1 million have now been levied to just six hospitals. Two of the eight received two fines each for invasive privacy breaches, and each of those two received a maximum fine of $250,000.

With fines for the first violation levied at $25,000, and subsequent breaches costing $17,500 each, the tally can run up fast, especially if there's more than one patient whose records were breached.

Maybe California is ahead of the rest of the country with laws like these because the state has so many entertainers, whose sometimes tragic medical conditions and dramatic deaths are too tempting for providers' sometimes voyeuristic tendencies to ignore.

Farrah Fawcett, Britney Spears, Gov. Arnold Schwarzenegger and his wife Maria Shriver, George Clooney and his girlfriend, so-called "octomom" Nadya Suleman who gave birth to octuplets and even Michael Jackson postmortem, according to news reports last week, were victims of prying eyes.

But there's even more incentive now for providers to pay attention because in California, there's another law that makes illicit chart peeking extremely personal. A special agency, the Office of Health Information Integrity, has been set up to investigate those employees accused of poaching medical information, perhaps to see if they are using it for private financial gain.

Individuals may be fined $25,000 per violation, or up to $250,000. The state has already referred several healthcare workers accused of violating privacy laws to that agency for scrutiny.

Or so it would seem. Kathleen Billingsley, deputy director of the state Department of Public Health, said that when she speaks to hospital CEOs now about these violations, "each one of them has talked with me about the efforts they have put into place. How they've addressed it with these plans of correction they're going to make.

"One CEO told me today they had educated over 1,000 employees immediately upon their first violation. And I've seen a lot of extensive training, retraining and a change in culture within a hospital," she said.

During Billingsley's explanation to the news media last week, it became clear that the issue is just beginning to snowball. "We have 324 cases that are currently under investigation and 1,489 cases pending. Between Jan. 1 2009, when law became effective and May 31 of 2010, we've received 3,766 reported breaches of patient medical information from licensed facilities."

That's a lot of suspected snooping to scrutinize.

Another California law requires hospitals to self-report these breaches, and most are doing so, Billingsley hopes. But now, health providers and state regulators have something more to worry about than an unauthorized X-ray or bit of medical information showing up in a tabloid-style blog or newspaper.