Under a law passed after breaches of celebrity medical records, such as those of the late actress Farrah Fawcett, health officials yesterday levied six fines totaling $675,000 against five California hospitals where employees and others gained unauthorized access to sensitive information in patients' electronic medical records.
State officials did not name any of the patients involved, but one of them was said to be Michael Jackson, whose records were reportedly accessed illegally at Ronald Reagan UCLA Medical Center in Los Angeles after his death.
"These facilities failed to prevent unauthorized access to confidential patient information," Kathleen Billingsley, deputy director of the Center for Health Care Quality, California Department of Public Health, said during a briefing yesterday.
"Medical privacy is a fundamental right, and every Californian seeking care in a hospital should not have to worry about who is viewing their medical information, she said. "We remain concerned with violations of patient confidentiality and the potential harm to patients."
California may have the most aggressive patient privacy laws in the nation. CDPH spokesman Ralph Montano says state officials "are not aware of any other state with similar laws."
Also, Jill Rosenthal, Program Director National Academy for State Health Policy in Washington, D.C., also says she is not aware of such laws in any other state.
In California, health officials can administer fines amounting to $25,000 for the first breach and $17,500 for each of subsequent violations involving the same patient, with a cap of $250,000. "That can add up in some cases to a fairly significant number," Billingsley said. Another state law took effect Jan. 1 that requires hospitals to notify patients when their medical confidentiality has been violated.
Yesterday's fines bring the total number of fines levied under the new law to eight, including two others imposed last year against Kaiser Permanente Hospital in Bellflower for two separate breaches involving the records of Nadya Suleman and her octuplets. Those fines were $250,000 and $187,000.
The total amount of fines levied is $1.12 million, although hospitals have the right to appeal. Billingsley said the money goes into a fund that is to be used for improving quality of care, and she hopes this money eventually will be used to find ways to prevent such breaches of medical confidentiality.
Additionally, under authority from another new state law, state officials referred the names of the health providers who were involved in these cases to a newly constituted state agency, the Office of Health Information Integrity. That office is charged with investigating those individuals and possibly fining them individually up to $25,000 per violation, or up to $250,000 if the use is for financial gain.
Details of yesterday's fines are as follows:
1. Community Hospital of San Bernardino received two fines, one for $250,000 and another for $75,000 for two breaches. In the first, one employee accessed computerized medical records of 204 patients "without a clinical need for information," a "failure (that) had the potential for unauthorized persons too use the disclosed information in a way not authorized by the patient such as identity theft or other unauthorized uses."
The hospital reported the breach a few days after it was discovered on Feb. 23, 2009. According to state documents, an imaging department manager who came in on a Sunday because of computer problems noticed a radiology technician (RT) engaged in "unusual activity. The RT had accessed clinical records that had no imaging (x-ray) services. The RT stated that she was accessing the records for her own knowledge."
When the manager informed the RT that was a violation of patient confidentiality, the RT said, "she had lost a baby because she was on drugs and wanted to see records of obstetrics to see what the pregnant mothers did to get help."
2. Community Hospital of San Bernardino also failed to prevent one employee from unauthorized access of three patients' medical information. "The facility failed to maintain patient privacy of information by not advising three patients of a visitor's presence during collection of registration information. This failure had the potential for unauthorized persons to use the disclosed information in a way not authorized by the patients, such as identity theft or other unauthorized uses," according to state documents. The hospital reported the incident to state officials.
Officials for Community Hospital of San Bernardino released a statement in response to the fines.
3. Ronald Reagan UCLA Medical Center was fined $95,000 after the facility self-reported an incident in which two employees breached the medical records of a deceased patient that press reports linked to Michael Jackson.
In that case, a state document said two employees, one with "School of Medicine Department of Medicine" and another with the "Department of Pathology and Medical Support Services inappropriately accessed Protected Health Information of a deceased patient."
The document said, "both employees were placed on investigatory leave and Human Resources was processing employment termination."
The facility also reported additional breaches by two contract employees who "admitted inappropriate access, they were curious."
UCLA stated that in the last three years it "has made a determined effort to train and test its employees on patient privacy laws and implemented a wide range of safeguards to ensure patient confidentiality. Our vigilant monitoring detected these breaches, which we self-reported to the California Department of Public Health. The individuals involved were dismissed."
4. Enloe Medical Center in Chico received a $130,000 fine, which documents say resulted when the hospital failed to prevent one employee and six employees of local physician's practices from accessing one patient's medical records. The violation involved one employee giving unauthorized access to the other employees.
However, Enloe officials say they will challenge the fine, which it self-reported. "Enloe immediately began to mitigate the breach upon discovery, and continues to monitor and safeguard patient privacy," the hospital said in a statement. "Enloe also provides code of conduct training during new employee orientation and as part of annual competency modules. These safeguards were taken at each location of the breach, however access was misused."
"Enloe Medical Center goes above and beyond the requirements of the law to protect patient privacy, which is the reason we were able to detect the breach," said Mike Wiltermood, Enloe's chief executive officer. "From our perspective, Enloe Medical Center's early detection of the patient information breach, along with our long-standing safeguards and privacy processes, were not taken into consideration as the law clearly allows when CDPH chose to apply the $130,000 administrative penalty," Wiltermood said.
"We are concerned that the manner in which CDPH is levying the fines could do more to discourage reporting of breaches rather than to truly strengthen patient privacy," he said.
5. Fremont-Rideout Memorial Hospital in Marysville a $100,000 fine after the facility failed to protect 33 patients' medical information, which was accessed by 17 security guards employed by the facility after one employee failed to log off his computer, according to state documents. One staff member told state officials that "it was never made as to why they should log off the terminal when away from it other than it was 'proper etiquette.' (The staff member) then stated, 'it doesn't matter anyway, so many of us know each other's passwords."
Hospital officials issued a statement saying, "We take very seriously our obligation to safeguard the personal health information of our patients but ultimately there is a human element and sometimes human failings. When we discovered the breach, we immediately terminated access to information, acted quickly to complete an audit and thorough investigation, and notified the state.
"As a result of the investigation last year and in accordance with our policies regarding patient privacy, we disciplined and terminated a number of individuals consistent with the extent of their actions."
6. San Joaquin Community Hospital in Bakersfield was fined $25,000 when it failed to prevent unauthorized access of three patients' medical information by two employees, according to state documents.
Donna Haberkern, San Joaquin's risk manager and patient safety officer, says that the violations involved the misplacement of three patients' lab results into a fourth patient's file folder which was sent to three attorneys who needed it for a case. "We immediately notified the patients involved that there had been a breach, and took steps to minimize the risk of that reoccurring.
She added that the results "were not of a highly sensitive nature; they weren't results of HIV or toxicology reports, just basic blood counts and electrolyte levels, that kind of thing."
Asked to give her view of these penalties, Jan Emerson, vice president for the California Hospital Association, says hospitals have "sophisticated technology and processes in place that flag any inappropriate access to patient information, allowing the facilities to report such breaches to the state and to take appropriate actions regarding employees involved. To our knowledge, most of the cases announced today resulted from hospitals self-reporting the breaches."
She adds, "CHA strongly supports the need to protect patient privacy. Hospitals should be held accountable to ensure that everything that can be done to protect patient privacy is done. Similarly, we believe that individuals should be held accountable for their actions. There are situations where despite the best efforts of the hospital, a rogue employee knowingly violates a patient's privacy. Those individuals should be held accountable to fullest extent of the law."
Billingsley said the law allows state officials to take into account the locations of hospitals when imposing fines, which she did for Fremont-Rideout and San Joaquin Community Hospital in Bakersfield, both in rural areas.
She also says that more violations will probably be announced. Her office has received 3,766 reported breaches of patient medical information since the law took effect. And of those, 324 cases are under investigation and another 1,489 are pending.