"We are concerned that the manner in which CDPH is levying the fines could do more to discourage reporting of breaches rather than to truly strengthen patient privacy," he said.
5. Fremont-Rideout Memorial Hospital in Marysville a $100,000 fine after the facility failed to protect 33 patients' medical information, which was accessed by 17 security guards employed by the facility after one employee failed to log off his computer, according to state documents. One staff member told state officials that "it was never made as to why they should log off the terminal when away from it other than it was 'proper etiquette.' (The staff member) then stated, 'it doesn't matter anyway, so many of us know each other's passwords."
Hospital officials issued a statement saying, "We take very seriously our obligation to safeguard the personal health information of our patients but ultimately there is a human element and sometimes human failings. When we discovered the breach, we immediately terminated access to information, acted quickly to complete an audit and thorough investigation, and notified the state.
"As a result of the investigation last year and in accordance with our policies regarding patient privacy, we disciplined and terminated a number of individuals consistent with the extent of their actions."
6. San Joaquin Community Hospital in Bakersfield was fined $25,000 when it failed to prevent unauthorized access of three patients' medical information by two employees, according to state documents.
Donna Haberkern, San Joaquin's risk manager and patient safety officer, says that the violations involved the misplacement of three patients' lab results into a fourth patient's file folder which was sent to three attorneys who needed it for a case. "We immediately notified the patients involved that there had been a breach, and took steps to minimize the risk of that reoccurring.
She added that the results "were not of a highly sensitive nature; they weren't results of HIV or toxicology reports, just basic blood counts and electrolyte levels, that kind of thing."
Asked to give her view of these penalties, Jan Emerson, vice president for the California Hospital Association, says hospitals have "sophisticated technology and processes in place that flag any inappropriate access to patient information, allowing the facilities to report such breaches to the state and to take appropriate actions regarding employees involved. To our knowledge, most of the cases announced today resulted from hospitals self-reporting the breaches."
She adds, "CHA strongly supports the need to protect patient privacy. Hospitals should be held accountable to ensure that everything that can be done to protect patient privacy is done. Similarly, we believe that individuals should be held accountable for their actions. There are situations where despite the best efforts of the hospital, a rogue employee knowingly violates a patient's privacy. Those individuals should be held accountable to fullest extent of the law."
Billingsley said the law allows state officials to take into account the locations of hospitals when imposing fines, which she did for Fremont-Rideout and San Joaquin Community Hospital in Bakersfield, both in rural areas.
She also says that more violations will probably be announced. Her office has received 3,766 reported breaches of patient medical information since the law took effect. And of those, 324 cases are under investigation and another 1,489 are pending.