Topics

Security breaches prove costly for California hospitals

Mike Miliard, Editor, Healthcare IT News

The California Department of Public Health announced this month that five hospitals were assessed administrative fines and penalties totaling $675,000 after it was determined they'd failed to prevent unauthorized access to confidential patient medical information.

"Medical privacy is a fundamental right and a critical component of quality medical care in California," said Mark Horton, director of the CDPH. "We are very concerned with violations of patient confidentiality and their potential harm to the residents of California.”

The following hospitals were fined:

  • Community Hospital of San Bernardino, which was assessed a $250,000 fine after the facility failed to prevent unauthorized access of 204 patients’ medical information by one employee. The hospital was also assessed a $75,000 fine after it failed to prevent unauthorized access of three patients’ medical information by one employee.
  • Enloe Medical Center, in Chico, which was assessed a $130,000 fine after it failed to prevent unauthorized access of one patient’s medical information by seven employees.
  • Rideout Memorial Hospital, in Marysville, which was assessed a $100,000 fine after it failed to prevent unauthorized access of 33 patients’ medical information by 17 employees.
  • Ronald Reagan UCLA Medical Center, in Los Angeles,  which was assessed a $95,000 fine after it failed to prevent unauthorized access of one patient’s medical information by four employees.
  • San Joaquin Community Hospital, of Bakersfield, which was assessed a $25,000 fine after it failed to prevent unauthorized access of three patients’ medical information by two employees.

The CDPH assessed the penalties under new legislation intended to protect the confidentiality of medical records – Section 1280.15 of California's Health and Safety Code.

An administrative penalty of $25,000 may be assessed against a medical facility for the breach of each patient’s medical information, with a penalty of up to $17,500 to be added for each subsequent breach of each patient’s medical information.

Facilities are required to submit a plan of correction to the CDPH within 10 working days and implement a plan of correction to prevent future incidents. Facilities can appeal an administrative penalty by requesting a hearing within 10 calendar days of notification. If a hearing is requested, the penalties are to be paid if upheld following appeal.

All hospitals in California are required to be in compliance with applicable state and federal laws and regulations governing general acute care hospitals.