Last month the California Department of Public Health (“CDPH”) issued privacy breach fines to seven California health facilities.  Six California hospitals and one nursing home were assessed administrative penalties and fines totaling $792,500 after a determination that the facilities failed to prevent unauthorized access to confidential patient medical information.  The agency is concerned that violations of patient confidentiality may harm the residents of California.
The violations were for the failure to:

  • prevent unauthorized access of one patient’s medical information by two employees on three occasions, ($5,000);
  • prevent unauthorized access of one patient’s medical information by one employee, ($25,000);
  • prevent unauthorized access and disclosure of one patient’s medical information by one employee on three occasions, (60,000);
  • prevent unauthorized access and use of five patients’ medical information by one employee, ($125,000);
  • prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions, ($60,000);
  • prevent the theft of 596 patients’ medical information, ($250,000);
  • prevent unauthorized disclosure of one patient’s medical information by one employee on two occasions, ($42,500); and
  • prevent unauthorized access and use of nine patients’ medical information by one employee, ($225,000).

The penalties were assessed under new California legislation intended to protect the confidentiality of medical records.  CDPH has determined that the hospitals failed to prevent unauthorized access to patient medical information, as required by Section 1280.15 of the Health and Safety Code. The new law allows the assessment of an administrative penalty of $25,000 against a medical facility for the breach of each patient’s medical information.  A penalty of up to $17,500 is added for each subsequent breach of each patient’s medical information.
These penalties in California emphasize the increased importance of establishing an effective compliance program where confidential patient information is used or maintained.  Section 6401 of the Affordable Care Act requires all Medicare and Medicaid providers and suppliers to establish a compliance program as a condition of participation.