The California Department of Public Health (CDPH) has fined six hospitals and one nursing home a cumulative total of $792,500 for failing to ensure the security and privacy of patient records. These fines may be a harbinger of expanding California enforcement of medical privacy. They follow AB 211 and SB 541, two pieces of legislation signed into law by Governor Schwarzenegger in 2008 designed to improve patient privacy and address violations of these rights.
All of the incidents involved misconduct by employees in which facilities were penalized for failing to prevent access. In one case, a facility was fined for failing to ensure the physical security of stored paper records offsite when a storage locker was discovered to have a broken lock. The facility has since taken measures to transition to electronic records and store paper records in a more secure, indoor facility.
Several cases involved access to or disclosure of health records of friends, families, or coworkers after their admittance to the hospitals. The others involved identity fraud perpetrated through access to personal information. In all but one case, an administrative penalty was $25,000 was assessed for each patient whose privacy was breached, with an additional $17,500 charged for every additional violation of that patient’s rights.
The combination of public concern for records privacy and financial incentives for enforcement makes this issue that health care providers cannot afford to take lightly. It is critical for all healthcare providers to ensure that they have policies, procedures, and all of the elements necessary to ensure compliance with both HIPAA and California law on patient privacy.