The California Department of Public Health (CDPH) announced that six California hospitals and one nursing home have been assessed administrative penalties and fines totaling $792,500 after a determination that the facilities failed to prevent unauthorized access to confidential patient medical information.
“Medical privacy is a fundamental right and a critical component of quality medical care in California,” said Dr. Mark Horton, director of CDPH. “We are very concerned with violations of patient confidentiality and their potential harm to the residents of California.”
The following health facilities received administrative penalties:
1. Biggs Gridley Memorial Hospital, Gridley, Butte County: The hospital was assessed a $5,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by two employees on three occasions.
2. Children’s Hospital of Orange, Orange, Orange County: The hospital was assessed a $25,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by one employee.
3. Delano Regional Medical Center, Delano, Kern County: The hospital was assessed a $60,000 fine after the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by one employee on three occasions.
4. Kaweah Manor Convalescent Hospital, Visalia, Tulare County: The nursing home was assessed a $125,000 fine after the facility failed to prevent unauthorized access and use of five patients’ medical information by one employee. Previous coverage of that breach on PHIprivacy.net can be found here and here.
5. Kern Medical Center, Bakersfield, Kern County: The hospital was assessed a $60,000 fine after the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
6. Kern Medical Center, Bakersfield, Kern County: The hospital was assessed a $250,000 fine after the facility failed to prevent the theft of 596 patients’ medical information. That incident was reported to HHS and had been previously mentioned on this site here and here.
7. Oroville Hospital, Oroville, Butte County: The hospital was assessed a $42,500 fine after the facility failed to prevent unauthorized disclosure of one patient’s medical information by one employee on two occasions.
8. Pacific Hospital of Long Beach, Long Beach, Los Angeles County: The hospital was assessed a $225,000 fine after the facility failed to prevent unauthorized access and use of nine patients’ medical information by one employee.
CDPH has assessed the penalties to these facilities under new legislation intended to protect the confidentiality of medical records. CDPH has determined that the hospitals failed to prevent unauthorized access to patient medical information, as required by Section 1280.15 of the Health and Safety Code. The penalties on this release are the first of their kind issued to each of these facilities.
An administrative penalty of $25,000 may be assessed against a medical facility for the breach of each patient’s medical information. A penalty of up to $17,500 is added for each subsequent breach of each patient’s medical information.
Facilities are required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents. Facilities can appeal an administrative penalty by requesting a hearing within 10 calendar days of notification. If a hearing is requested, the penalties are to be paid if upheld following appeal.
Earlier this year, and as reported previously on this site, CDPH also fined:
Enloe Medical Center (PDF)
The hospital was assessed a $130,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by seven employees. Survey findings issued by the department on 08/31/2009.
San Joaquin Community Hospital (PDF)
The hospital was assessed a $25,000 fine after the facility failed to prevent unauthorized access of three patients’ medical information by two employees. Survey findings issued by the department on 08/11/2009.
Ronald Reagan UCLA Medical Center (PDF)
757 Westwood Plaza, Los Angeles, Ca. 90095-1730 – The hospital was assessed a $95,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by four employees. Survey findings issued by the department on 09/16/2009.
Community Hospital of San Bernardino (PDF)
1805 Medical Center Drive, San Bernardino, Ca. 92411 – The hospital was assessed a $250,000 fine after the facility failed to prevent unauthorized access of 204 patients’ medical information by one employee. Survey findings issued by the department on 03/28/2009.
Community Hospital of San Bernardino (PDF)
1805 Medical Center Drive, San Bernardino, Ca. 92411 – The hospital was assessed a $75,000 fine after the facility failed to prevent unauthorized access of three patients’ medical information by one employee. Survey findings issued by the department on 03/26/2009.
Rideout Memorial Hospital (PDF)
The hospital was assessed a $100,000 fine after the facility failed to prevent unauthorized access of 33 patients’ medical information by 17 employees. Survey findings issued by the department on 07/29/2009.
It’s great that the state is fining them, but one wonders why HHS/OCR are not also fining entities for these types of breaches or even worse breaches.
h/t, AP