The alleged patient-record snoopers at Kaiser Permanente Bellflower Hospital in Los Angeles County picked the wrong state in which to snoop.
California has the most stringent patient privacy laws in the nation–stronger than new federal laws.
Last September, state leaders passed Assembly Bill 211 and Senate Bill 541.
The measures:
- Specify penalties for unauthorized access to medical records
- Require organizations to report privacy breaches more quickly
- Make safeguards, such as password protection, a state requirement
- Assign rights to enforce patient privacy violations to a new state office, the California Office of Health Information Integrity.
"California has been on the forefront of patient/medical records privacy laws, and existing California law did not completely address the issue of unauthorized access of patient medical records by employees," says Esther Chang, JD, attorney at McDermott Will & Emery, LLP, in Los Angeles.
Last week, Kaiser was slapped with a six-figure fine for failing to secure electronic patient records from snooping employees.
Investigators say one of the eight employees caught in the latest security breach in April was also involved in the earlier breach in mid-March that involved Nadia Suleman, aka the Octomom.
Current law in California is already more stringent with regard to breach notification than the provisions in the Health Information for Economic and Clinical Health (HITECH) Act, says Jana Aagaard, who is of counsel at Catholic Healthcare West in Rancho Cordova, CA.
For example, Aagaard cites the requirement that a state agency and the patient be notified of a breach within five calendar days of discovery of the breach. HITECH calls for 60.
The breach of the medical records of Maria Shriver, who is Gov. Arnold Schwarzenegger's wife, all but ensured that change was coming. But some experts believe increased legislation is a bad idea that doesn't give existing laws the chance to have an effect.
"I think it's the typical knee-jerk reaction we see in all facets of government," says Kevin Beaver, CISSP, founder of Principle Logic in Acworth, GA. "Something bad happens, people complain and want to know why, and government bureaucrats think it's their duty to fix things with new laws rather than just letting existing laws be enforced."
The new laws in California may serve as insight into situations in which state governments may intervene in a more proactive manner.
"I think people are always going to do the minimum to get by," Beaver says. "This means that instituting basic information privacy and security controls will unfortunately come down to government agencies, such as the state of California forcing people into submission."
In California, the message is simple—comply, or else.
"The new laws now put the onus on healthcare providers to safeguard patient information not just from external breaches, but also from unauthorized access within their own organization," Chang says.
But will California's new laws result in real change? Beaver believes it won't change the way organizations protect information; the good organizations will continue to do a good job, and the bad ones will continue to fail.
HIPAA caused healthcare facilities to create a notice of privacy practices, secure their sign-in sheets, and document basic policies, but not much else of substance related to information security, he says.
"I see blatant violations of the HIPAA security rule all the time in my work and even when I visit the doctor," Beaver says. "It's the mentality of 'I'm going to keep doing the same old things I've been doing until I get caught.' So if many people in healthcare aren't taking [HIPAA] seriously, why would a similar state law be any different?"