On June 10, 2010, the California Department of Public Health (CDPH) announced issuing administrative penalties and fines totaling $675,000 against five hospitals in the state. CDPH cites the facilities’ failure to prevent unauthorized access to confidential patient medical information as required under new legislation (Section 1280.15 of California’s Health and Safety Code) (pdf) as the basis for the penalties and fines.
Relevant portions of Section 1280.15 of California’s Health and Safety Code provide:
A clinic, health facility, home health agency, or hospice . . . shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information . . . The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients’ medical information. For purposes of the investigation, the department shall consider the clinic’s, health facility’s, agency’s, or hospice’s history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility’s ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.
CDPH Director Dr. Mark Horton commented, “medical privacy is a fundamental right and a critical component of quality medical care in California.” His position and the actions taken by the agency highlight the need for health care providers to do more to safeguard patient records. In most of these cases, according to the CDPH announcement, multiple hospital employees accessed confidential patient medical information without authority to do so.
However, California hospitals should not be the only entities concerned about exposure relating to unauthorized access to confidential personal information, nor is California’s Health and Safety Code the only statutory obligation to safeguard such information. Mandates to protect personal information are growing and apply to industries beyond healthcare and persons other than patients. In short, businesses in all states and industries should be reviewing, at a minimum:
- how they safeguard personal information, whether it be that of customers, patients, employees, or their dependents,
- who they permit to access personal information, and
- what their plan is in the event of unauthorized access or acquisition.
We’ve written about a number of these areas of concern:
- Pending Federal Legislation
- State Attorneys General enforcing (i) HIPAA, (ii) Deceptive and Unfair Trade Practices Laws, (iii) record destruction laws.
- Risks if You Are a Business Associate
- Criminal Penalties Under HIPAA
- State Laws Mandating Protections for Personal Information, not just medical information.
- HHS Enforcing HIPAA Following Data Breach
- Developing a Plan
Like most things, "an ounce of prevention is worth a pound of cure."