Kaiser Permanente Bellflower Hospital in Los Angeles has been assessed a $250,000 fine because 23 employees at a number of Kaiser facilities with access to electronic medical records unlawfully breached the privacy of a patient who gave birth to octuplets earlier this year.
It is the first fine of its kind under a new state law that went into effect Jan. 1 designed to protect patient privacy, state officials said today.
Under another state law, the 23 individuals who engaged in the breach were referred for investigation and other charges could be filed by another state agency, the Office of Health Information Integrity. There also is the possibility that those responsible could see the loss or suspension of their medical licenses.
"As a byproduct of that investigation, Kaiser terminated one employee, 14 resigned, and eight received disciplinary action," said Kathleen Billingsley of the California Department of Public Health, Center for Health Care Quality.
Billingsley said that after Kaiser became aware of the breach, it put a banner on computer monitors warning providers "that if they are accessing medical records, they must have authorization and a need to do so," Billingsley said.
"But six of the breaches occurred after the confidential banner was in place," Billingsley said. "Seven employees accessed it more than once."
Asked what hospitals can do additionally, she suggested possibly requiring that anyone accessing a medical record be required to insert a code. "I would go in there and indicate through my code that I'm accessing that record, so there's immediately a link between myself as a healthcare professional that I am accessing that record."
She said other solutions may be found through innovative software security measures.
According to the state investigation's statement of deficiency, the employees who accessed the record "had no business to know. Had no permission to look" at her medical record.
Kaiser is now required to produce a plan of correction that must be accepted by the state, It can appeal the decision, although it is not known whether it will.
Billingsley and Mark Horton, MD, director, California Department of Public Health, made the announcement with stern language that future violations will not be tolerated. "Medical privacy is a fundamental right," he said. "Patients should not have to worry about who is viewing their private confidential information. That is critical."
The $250,000 fine is the highest allowed for such a violation under legislation that took effect Jan. 1. The law was enacted after numerous confidentiality breaches involving celebrities, such as Farrah Fawcett.
Additional fines of $17,500 may be assessed for subsequent violations by the same hospital.
State officials did not say whether any of the individuals known to have improperly accessed the patient's medical record were responsible for leaks to news media. But the ensuing publicity identified the patient as Nadya Suleman, who gave birth to octuplets in January.