Six California hospitals and a convalescent home—including four small rural facilities—must pay nearly $800,000 because of eight health information privacy breaches.
The violations include two against Kern Medical Center in Bakersfield, one of which was assessed at the maximum amount of $250,000 because reports containing lab and other details for 596 patients were placed in an unlocked outdoor locker that was stolen, according to state documents.
Another near maximum fine of $225,000 was levied against Pacific Hospital of Long Beach because an employee obtained personal information on nine patients "and allowed other people to use this information in order to open up fraudulent accounts," such as accounts with Verizon, state documents said. That incident has since become a police matter.
Kaweah Manor Convalescent Hospital in Visalia, 45 miles south of Fresno, received the third highest fine, $125,000, because a Kaweah employee allegedly stole the identities of five patients and used them to redirect their mail and open accounts, according to state documents.
The laws against privacy breaches were passed after information about entertainers such as actress Farrah Fawcett was leaked to the media three years ago.
"Every Californian seeking care at a hospital or nursing home should not have to worry about who is viewing their private medical information," said Pam Dickfoss, acting deputy director for theCaliforniaDepartment of Public Health. "It's also a critical part of quality medical care. We remain concerned with violations of patient confidentiality and their potential harm to the residents of California."
Several of the violations involved rural facilities where employees personally knew the patients, and disclosed information about their medical conditions without authorization. In one case, sensitive information about a patient was related to the patient's relatives, and in another to the employee's friends through postings on MySpace, according to state documents.
The round of eight fines is the fourth under privacy laws in California that are the nation's most stringent. The $792,500 in this round of fines brings the total in state privacy breach penalties to $2.2 million. Some of the fines have involved medical record of celebrities, such as Michael Jackson and Britney Spears. Last year, the state imposed two fines of $250,000 and $187,000 against Kaiser Permanente Hospital in Bellflower for two separate breaches involving the records of Nadya Suleman and her octuplets.
The penalty is $25,000 for a medical facility breach of a patient's medical information, and another $17,500 for each subsequent breach. The state has received more than 4,101 breach reports, and has so far investigated 2,627. The 18 fines levied so far were for lapses classified as either willful or negligent, according to department spokesman Ralph Montano.
Dickfoss announced the fines one week after the state announced 12 fines totaling $575,000—authorized under a different set of laws—against 14 hospitals for causing immediate jeopardy to patient safety.
The breach fines levied last week are as follows:
1. Biggs Gridley Memorial Hospital in Gridley, Butte County, was assessed $60,000, a fine that was reduced to $5,000 under a special provision that allows leniency for small, rural or critical access facilities, according to state documents. In this instance, a hospital employee who was not authorized to do so shared with three other employees the medical records of a coworker who had been hospitalized.
2. Children's Hospital of Orange County, was assessed $25,000 because one employee accessed unauthorized information about a co-worker's child who had been hospitalized and called her to discuss it. The parent of the hospitalized child told the employee they "did not want to discuss the child's hospitalization," according to state documents.
3. Delano Regional Medical Center in Kern County was assessed $60,000 fine after an employee accessed sensitive information about the urine test results of a patient who was her sister in law, and "maliciously" related those results to the patient's mother and the patient's two sisters, according to state documents.
4. Kaweah Manor Convalescent Hospital in Visalia, Kern County, was assessed $125,000 after an elder abuse police investigation and the arrest of a physical therapy assistant, who allegedly stole personal identities of five patients, state records said. After a police search of the employee's property, credit cards were found that had been issued under one resident's name and "there was evidence that $16,000 for a home remodel application had been completed online," state documents said.
Additionally, while the officer was at the employee's residence, a package arrived addressed to one of the residents.
5. Kern Medical Center in Bakersfield, Kern County, received a $250,000 and a $60,000 fine. In the first of two cases, a locker designated to hold daily cumulative lab reports and other patient medical information was placed outdoors and went unsecured for months and was never reported. Staff discovered that records for 596 patients from Oct. 30, 2009 were missing, according to state documents.
The employee who was responsible for storing the reports said "he felt putting the patient information in an unsecured locker was not the right thing to do but did not report his concern to anyone else," according to state documents.
In the second case, a volunteer research assistant was asked by a physician to enroll an emergency room patient in their computer base, and noticed that the emergency contact for that patient was another staff member. The fact that the patient was in the hospital was relayed to that contact, who happened to be the patient's mother, as well as to a second staff member without authorization, state documents said.
6. Oroville Hospital in Oroville, Butte County, was fined $42,500 after an employee posted information about a patient on "My Space" that the patient had been admitted to the emergency room three times in one month. The employee was also observed by the patient's family member "talking on her personal cell phone and disclosing to a third party that (the patient) was in the emergency room," state documents said.
7. Pacific Hospital of Long Beach in Los Angeles County was fined $225,000 after an employee accessed information on nine patients, some of which was given to others to open up fraudulent accounts.
The employee "admitted to memorizing several patients' profiles, going home, and writing the memorized profiles on papers. She then allowed other people to use this information in order to open up fraud accounts with Verizon," according to state documents.
Kathleen Billingsley, deputy director of the California public healthdepartment's Center for HealthCare Quality, acknowledged that some of the fines "seem to be very large" in some cases involving only one incident.
But the way the law is now written, she said, the department does not have discretion. "When we get to the point when a significant number of patient's records have been accessed in an inappropriate matter, or they were available to anyone who would like to look at them because they were not secured, according to the specificity of the law, we're required to follow that."
All fines and their related documents can be accessed here.
See Also:
Hospital Fined $250,000 For Not Reporting Data Breach Hospital Seeks To Terminate Five Hospital Workers For Privacy Breaches on Social Media
Six Major Patient Record Breaches Draw $675,000 In Penalties
Technology Fears, Privacy Breaches Remain Barriers for EHR Use