California’s Department of Public Health (CDPH) has fined nine hospitals this year for failure to prevent unauthorized access to patient medical information, as required by Section 1280.15 of California’s Health and Safety Code. The fines were issued for breaches reported in previous years. Frustratingly, the state’s web page that reports the penalties and underlying reports does not indicate the amount of the penalties, although in some cases, I have been able to dig out that information with varying degrees of confidence. Two requests sent to CDPH for additional details have not yet received replies.
Fined entities include:
Enloe Medical Center was fined after an insurance registration clerk exceeded authorized access and viewed (and in some cases printed out) information on three patients, although I cannot locate the amount of the fine on the state’s web site for that 2010 incident, Enloe Medical Center was fined for other breaches in the past, including a $250,000 fine for an incident in October 2010 involving the “breach of IT system theft/loss of edevice/medical records” and a $130,000 fine for a breach by a healthcare worker in August 2009. The medical center appealed both those fines and those cases remain open.
Huntington Memorial Hospital was fined $25,000 after an admissions clerk obtained – and misused – the cell phone number of a patient to send her a sexual text message.
Los Angeles County Sheriff’s Department – Twin Towers was fined after a dentist employed by them snooped in the file of a “high profile case” where the patient was not his patient.
California Pacific Medical Center – Pacific Campus Hospital was fined $25,000 after an employee and co-worker of a patient accessed his files without authorization. The employee subsequently told the patient what he had done. The hospital , which had detected and self-reported the incident, has appealed the penalty and the case remains open.
San Francisco General Hospital was fined $250,000 after an employee violated procedure by downloading information on 209 patients onto a personal, and unencrypted, flash drive that he took with him to a conference. The employee stated he had planned to work on the data for a report he was preparing. The flash drive, which was not even password-protected, contained the patients’ names, medical records, and procedures, and was lost at some point during the trip. The hospital has not appealed the fine, but the case is still open.
SanFrancisco General Hospital was also fined $100,000 for a case investigated in 2009. A physician had taken five patients’ infectious disease consultation forms home with him. The forms containing the patients’ names, dates of birth, and synopsis of their medical conditions were in a briefcase left in the physician’s unlocked car in his garage. Burglars robbing the house stole the briefcase from the car. The hospital has not appealed the fine, but the case is still open.
Santa Clara Valley Medical Center was fined $25,000 over a 2009 incident. In this case, an employee of a business associate providing billing services admitted to accessing two patients’ medical records without legitimate purpose because she was asked to do so by a friend.
Mercy Medical Center – Redding was fined after an EKG technician accessed the records of 29 patients in 2010 without authorization, including face sheets with their names, diagnoses, addresses, phone numbers, doctors’ names, and chief complaints. The employee said she did so out of boredom and did not print out any information. I could not determine the amount of the fine from the state’s web site, but note that the medical center paid two fines – one $250,000 and one $100,000 – over deliberate breaches of PHI by a healthcare worker. Those incidents occurred in 2009. The incident described above, however, occurred in 2010 and is likely not either of those incidents. The medical center also paid a $60,000 penalty for a 2010 breach by a healthcare worker within the facility/healthcare system, but that may not be this incident, either, as this incident said the improper access took place over a 90 day period and the 2010 breach resulting in the $60,000 fine only shows one date in March, 2010.
Rideout Memorial Hospital was fined after seven staff members inappropriately accessed the electronic medical records of a fellow member of the staff 143 times in 2010. Although I cannot be certain from the state’s site whether this was the same incident, the hospital was fined $250,000 for a 2010 incident involving the deliberate breach of PHI by a healthcare worker. The hospital did not appeal the penalty, but the case is still open. Previously, the hospital had been fined $50,000 for a breach by a healthcare worker within the facility/healthcare system. They did not appeal that fine, and that case is closed.
It seems like California is more likely to issue financial penalties than HHS. Their approach might be more effective in terms of deterrence if the penalties were issued more promptly and reported in the media so that the word gets out.