Six Major Patient Record Breaches Draw $675,000 In Penalties
Under a law passed after breaches of celebrity medical records, such as those of the late actress Farrah Fawcett, health officials yesterday levied six fines totaling $675,000 against five California hospitals where employees and others gained unauthorized access to sensitive information in patients' electronic medical records.
State officials did not name any of the patients involved, but one of them was said to be Michael Jackson, whose records were reportedly accessed illegally at Ronald Reagan UCLA Medical Center in Los Angeles after his death.
"These facilities failed to prevent unauthorized access to confidential patient information," Kathleen Billingsley, deputy director of the Center for Health Care Quality, California Department of Public Health, said during a briefing yesterday.
"Medical privacy is a fundamental right, and every Californian seeking care in a hospital should not have to worry about who is viewing their medical information, she said. "We remain concerned with violations of patient confidentiality and the potential harm to patients."
California may have the most aggressive patient privacy laws in the nation. CDPH spokesman Ralph Montano says state officials "are not aware of any other state with similar laws."
Also, Jill Rosenthal, Program Director National Academy for State Health Policy in Washington, D.C., also says she is not aware of such laws in any other state.
In California, health officials can administer fines amounting to $25,000 for the first breach and $17,500 for each of subsequent violations involving the same patient, with a cap of $250,000. "That can add up in some cases to a fairly significant number," Billingsley said. Another state law took effect Jan. 1 that requires hospitals to notify patients when their medical confidentiality has been violated.
Yesterday's fines bring the total number of fines levied under the new law to eight, including two others imposed last year against Kaiser Permanente Hospital in Bellflower for two separate breaches involving the records of Nadya Suleman and her octuplets. Those fines were $250,000 and $187,000.
The total amount of fines levied is $1.12 million, although hospitals have the right to appeal. Billingsley said the money goes into a fund that is to be used for improving quality of care, and she hopes this money eventually will be used to find ways to prevent such breaches of medical confidentiality.
Additionally, under authority from another new state law, state officials referred the names of the health providers who were involved in these cases to a newly constituted state agency, the Office of Health Information Integrity. That office is charged with investigating those individuals and possibly fining them individually up to $25,000 per violation, or up to $250,000 if the use is for financial gain.
Details of yesterday's fines are as follows:
1. Community Hospital of San Bernardino received two fines, one for $250,000 and another for $75,000 for two breaches. In the first, one employee accessed computerized medical records of 204 patients "without a clinical need for information," a "failure (that) had the potential for unauthorized persons too use the disclosed information in a way not authorized by the patient such as identity theft or other unauthorized uses."
The hospital reported the breach a few days after it was discovered on Feb. 23, 2009. According to state documents, an imaging department manager who came in on a Sunday because of computer problems noticed a radiology technician (RT) engaged in "unusual activity. The RT had accessed clinical records that had no imaging (x-ray) services. The RT stated that she was accessing the records for her own knowledge."
When the manager informed the RT that was a violation of patient confidentiality, the RT said, "she had lost a baby because she was on drugs and wanted to see records of obstetrics to see what the pregnant mothers did to get help."