This story was updated on September 10th.
Lucile Salter Packard Children's Hospital at Stanford University has been fined $250,000 by California health officials for failing to report within five days a breach of 532 patient medical records in connection with the apparent theft of a hospital computer by an employee.
Under state law, that amount is the maximum penalty allowed for failing to report such an incident, according to spokesman for the California Department of Public Health, Ralph Montano. The penalty is assessed at the rate of $100 for every day of delayed reporting after the first five days for each patient medical record that was breached, he said.
These failure-to-notify penalties are unique in the country, according to officials for the National Academy for State Health Policy. So far, state health officials have issued more than $1.8 million in fines against 143 hospitals that failed to report an adverse event or breach of a medical record, a wrong-site surgery or a foreign object left inside a surgical patient.
State officials on Thursday released a document, called a "2567," summarizing the results of the state's investigation of the Lucile Packard incident. It said an unauthorized hospital employee and her husband, another employee, were observed Jan. 5 in the hospital's Heart Center removing a computer that contained protected health information on 532 patients.
"Based on interviews and record review, the hospital failed to notify a privacy breach of patients' protected health information (PHI) to 532 patients within five days after the hospital confirmed the breach on 2/1/10. The hospital failed to send notifications to the patients until 2/19/10."
"The confidential data included names, date of birth, medical record numbers, diagnoses, procedures, insurance information and/or social security numbers."
Lucile Packard officials on Thursday posted a lengthy statement on the hospital's website saying it intends to appeal the $250,000 fine.
"The computer in question was used by an employee whose job required access to patient information," the hospital said.
"Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home.
"The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
"As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.
"Theft charges have been filed against the former employee."
In a statement sent by e-mail to HealthLeaders Media Wednesday, Lucile Packard spokesman Robert Dicks forwarded this statement from Susan Flanagan, RN, chief operating officer: "This theft was very unfortunate. We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children's privacy."
"The incident in question was related to the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly."
"As soon as the hospital and law enforcement determined the computer was not currently recoverable, the hospital reported the incident to the CDPH and federal authorities, as well as the families of potentially-affected patients."
"The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today."
Added Ed Kopetsky, chief information officer at Packard Children’s, "Even though the investigation revealed that no patients were harmed and apparently no patient information was compromised, we are using this incident to further tighten our security and provide additional education to our staff."
Dicks said a date has not been set for the ruling on the appeal.
He emphasized in an e-mail Thursday that the hospital self-reported the incident to the state.
The state Department of Public Health's website indicates that Lucile Packard hospital received two other fines, each $1,500, for two other incidents involving failure to report a breach of medical records by a healthcare worker "within the facility/healthcare system" on the same day. The state website indicates that the hospital intends to appeal one of them but not the other.
A hospital can be fined up to $250,000 for a breach itself. However state law says the combined fine for failing to report a breach and the penalty for the breach itself cannot exceed $250,000, Montano said.
The state's medical record confidentiality laws were enacted in 2008 after hospital medical records of celebrities such as the late Farrah Fawcett and Britney Spears were inappropriately accessed and distributed. A two-bill combination requires health facilities to adopt appropriate administrative, physical and technical safeguards to prevent unauthorized access or unlawful access, use, or disclosure.
Under that breach statute, the total fines as of last June 11 were $1.12 million, levied against eight hospitals.
One of those fines involved the violation of medical records of pop star Michael Jackson at Ronald Reagan UCLA Medical Center. Last year, Kaiser Permanente Hospital in Bellflower was fined for two separate breaches involving the medical records of Nadya "Octomom" Suleman and her octuplets. Those fines totaled $250,000 and $187,000.