Advisories

On June 10, 2010, the California Department of Public Health (CDPH) underscored the financial consequences of medical privacy violations when it announced fines totaling $675,000 against five hospitals.

The fines were imposed under the California medical privacy breach reporting law that went into effect in 2009. The majority of the breaches cited involved inappropriate access to electronic health records by employees and others who had authorization to access the hospitals’ patient information systems but abused their access rights to snoop into patient records for inappropriate purposes.

These penalties raise important questions about CDPH’s interpretation of the legal requirements for facilities to safeguard patient information, as well as its approach to assessing penalties for violations. Hospitals and other providers covered by the California breach reporting law have something to learn from these fines to minimize their own financial risks.

Background

In 2008, Governor Arnold Schwarzenegger signed into law Senate Bill 541 to address several highly publicized instances of inappropriate access to patient information. Codified as Health and Safety Code Section 1280.15, the law requires health facilities, clinics, hospices and home health agencies to safeguard patient medical information and to prevent unauthorized access to or disclosure of it. Upon the discovery of unauthorized access or disclosure, the law requires the entity to report the event within five business days to both CDPH and the patient.

An administrative penalty of up to $25,000 may be assessed against a medical facility for the breach of each patient’s medical information. A penalty of up to $17,500 is added for each subsequent breach of each patient’s medical information. Fines cannot exceed $250,000 per reported event.

Common characteristics of the breaches

As CDPH describes them in its deficiency statements, the breach incidents shared several common characteristics:

• Except in two limited cases involving disclosure to outsiders, the incidents were specific instances where hospital employees and others who had authorized access rights to patient information abused those rights.
• All of the incidents were self-reported to CDPH by the hospitals on a timely basis. The fines did not include penalties for late reporting.
• All of the breaches were identified after the fact, either by retrospective audit, by notice from fellow employees, or by happenstance. In one case, CDPH says the hospital conceded that even retrospective auditing would not have identified a significant pattern of violations, suggesting a lack of effectiveness of the hospital’s audit process.
• In several cases, the unauthorized access was committed by non-hospital personnel—employees of hospital contractors and physician office personnel.
• In virtually all cases the employees in question were shown to have received training on HIPAA and privacy obligations.
• As far as we can tell, the hospitals took appropriate, often decisive action against the offending employees, many of whom were terminated.

CDPH appears to be enforcing the law as an absolute requirement to prevent unauthorized access to patient medical information. If this is the approach, it seems inconsistent with a related section of the Health & Safety Code Section 130203, which requires health care providers to implement “appropriate administrative, technical, and physical safeguards” to protect the privacy of medical information, and to “reasonably safeguard” medical information from unauthorized access. This echoes the HIPAA standard, which recognizes the need to strike a balance between patients’ interests in privacy, on the one hand, and in receiving prompt and effective care, on the other.

In assessing fines, the law calls for CDPH to consider the facility’s history of compliance with the law and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section.

CDPH did not explain its rationale for the level of fines imposed in these specific cases. In several cases CDPH imposed the maximum fines allowed under the law, while in others they imposed fines significantly below what was allowed. 

Risk reduction for providers

Unfortunately, the fines in these cases suggest that even when hospitals train their employees appropriately on privacy protection, monitor their systems for compliance, report violations when they occur, and take decisive action against offending employees, this may not be enough to avoid CDPH fines.

Still, review of the deficiency statements issued by CDPH does provide some useful insight into measures that hospitals can take to minimize their risks of violating law:

• Review the effectiveness of privacy training. Such training needs to stress not only the limits on disclosure of confidential patient information to third parties but also the limits on accessing patient information in the first place. Using the specific examples drawn from the recent enforcement actions should be helpful.
• Recognize the limitations of relying on retrospective audits to enforce the security of patient information. To the extent possible, hospitals should seek to tailor access rights to an individual’s job-related duties, in order to limit the risk of inappropriate access in the first place. Where it is necessary to rely on retrospective audit for enforcement, such auditing should seek to identify those instances where there is access without an appropriate business need (e.g., individuals reviewing the records of patients for whom they have no responsibility, such as a radiology tech reviewing the cases of patients who had not received any radiology services).
• Review arrangements under which contractors and physician offices have access to hospital information systems. In several cases, employees in private physician offices were said to be sharing IDs and passwords for the hospital’s health information system, thus preventing hospitals from accurately identifying the person accessing the system. In one instance a physician refused to cooperate with CDPH by refusing to identify the employee in his office who made the unauthorized access.
• Pay attention to patient information that would be particularly useful in identity theft and any medical theft (e.g., Social Security number, driver’s license, and Medicare numbers). Although CDPH did not explain its rationale for the level of fines imposed, in two cases where maximum fines were imposed CDPH expressed concern that the incidents had the potential for unauthorized persons to use patient information for identity theft or other uses not authorized by the patient.

The Incidents

Penalties were levied against five different hospitals; one hospital was fined for two separate instances of unauthorized access. As CDPH describes the incidents:

Hospital 1—fine: $75,000

An employee in the hospital’s admissions office allowed a visitor to sit at his workstation inside the admissions department where the visitor was able to observe and overhear the employee’s conversation with three different patients during the registration process. CDPH noted that the incidents had the potential for unauthorized persons to use patient information for identity theft or other uses not authorized by the patient. The fine of $75,000 was the maximum allowed under the law (3 x $25,000).

Hospital 1—fine: $250,000

Over a two-month period, a radiation tech employed by the hospital accessed the records of more than 200 mostly obstetrical patients, none of whom had received any radiation services. The employee told CDPH she had lost a baby because she was on drugs and wanted to see what pregnant mothers treated at the hospital did to get help. She conceded she was aware that accessing the records was a violation of confidentiality.

The hospital told CDPH that it had no way to limit the access of persons with authorization to access patient records. The hospital relied on a “pop-up” screen when employees signed into the network, which warned them that they were accessing restricted information and that improper use of the information could result in disciplinary action. The hospital also conducted random audits of access to records considered sensitive or with unusual diagnoses. The hospital conceded that the measures they had in place would not have uncovered the employee’s access to these records, which was discovered only when the hospital’s system came under scrutiny for unrelated technical reasons.

CDPH noted that the incidents had the potential for unauthorized persons to use patient information for identity theft or other uses not authorized by the patient. The agency also noted that the hospital’s policy did not address the prevention of unauthorized electronic access to patient information.

Hospital 2—fine: $25,000

This case involved the misfiling of hard copies of lab results of two patients into the chart of a third patient, which was then released to the attorneys involved in a lawsuit against the hospital by the third patient. The hospital had a redundant process for checking hard copy records to avoid misfilings and stated that the analyst who worked on this record was known to be particularly thorough, so it could not explain the event.

Hospital 3—fine: $95,000

This case involved the unauthorized access to the records of a deceased patient by two hospital employees and two employees of a hospital contractor (pathology billing service). Three of the employees made a single unauthorized access; one of the contractor employees accessed the patient’s chart twice. The two hospital employees had signed confidentiality agreements stating that they would access confidential information to the minimum extent necessary for their assigned duties, and the contractor employees had signed their employer’s HIPAA procedure guidelines. All four employees were terminated. The fine was slightly below the maximum allowed by the California law.

Hospital 4—fine: $100,000

This case involved the unauthorized access to the records of 33 hospital patients by 17 hospital-employed security guards over seven months. The security guards were supposed to have had access only to information listing the name and room number of patients, but due to an error they were able to access and review additional information in the records of the 33 patients. The four guards who were interviewed by CDPH conceded that they received HIPAA training but said while the training emphasized that patient information should not be shared with unauthorized persons, the training was not specific as to who could access records. The fine here was significantly below the maximum allowed under the law.

Hospital 5—fine: $130,000

This case involved seven instances of unauthorized access discovered by a hospital during an audit of a “high-profile” patient. One instance involved a hospital employee, another involved an employee of the hospital’s collection agency, and the other five instances involved access by employees of physician offices, which had established connections to the hospital’s electronic health record.

In two of the physician offices, employees stated that they had shared login IDs and passwords so that it was not possible to identify which person in the office had accessed the patient’s record. In one case the physician indicated that he knew who had accessed the record but refused to divulge the employee’s identity to CDPH.

Plans of correction and appeals

In addition to the fines, facilities are required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents. Facilities can appeal an administrative penalty by requesting a hearing within 10 calendar days of notification. If a hearing is requested, the penalties are to be paid if upheld following appeal.