Laws bolster penalties for privacy breaches in California

In the wake of multiple high-profile cases of snooping, the state cracks down on unauthorized looks at medical files.

By Pamela Lewis Dolan — Posted Dec. 1, 2008

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Eyes will be on California starting next year, but they won't be peeking into medical records.

At least that's Gov. Arnold Schwarzenegger's hope; in September he signed into law two bills that put some teeth into patient privacy rules and give doctors good reason to comply.

Under the new laws taking effect Jan. 1, 2009, the state has significantly increased fines not only for the illegal use of medical records but also for unauthorized access of records. The laws also open the door for patients to sue doctors when their records are accessed, even if there is no damage.

Other states have privacy laws that require notification of a breach, but the California bills are thought by experts to be the first to place a strong focus on enforcement.

Experts predict California's actions will lead to more states following suit, as well as tougher enforcement of HIPAA privacy and security rules, which have gone largely unenforced since they took effect in 2003 and 2005, respectively.

For physicians, "the idea behind all this is don't wait until the 500-pound gorilla is pounding on your door," said attorney Peter MacKoul, president of Sugar Land, Texas-based HIPAA Solution, a consultancy that helps practices become HIPAA-compliant. "It's called preventative action."

About the same time the California governor signed the two patient privacy bills into law, a report published by the California Health Dept. found snooping incidents at the UCLA Medical Center were much worse than initially thought. The study found that since 2003, hospital workers inappropriately accessed the electronic medical records of 1,041 patients, including those of California first lady Maria Shriver. Some of those employees were feeding celebrity information to the media, the report said.

Both of the new state laws require that medical facilities safeguard patient records and implement controls that would prevent not only malicious theft of patient information but also unauthorized access.

Under SB 541, if a snooping incident like those at UCLA occurs, the hospital must notify the patient within five days and if it fails to do so, fines of $100 per patient per day can be imposed, up to a total of $250,000.

Under AB 211, which deals with individual physicians and other health care professionals, patients can collect damages up to $1,000. And licensed health care workers who violate the law could receive a civil penalty of up to $25,000 per violation; any person or entity that uses records for financial gain could received a penalty up to $250,000. SB 541 also created the Office of Health Information Integrity, which will be responsible for the enforcement of the laws.

The California Medical Assn. initially rejected AB 211 for being too vague. Amendments were made to allow enforcement officials to consider the size and complexity of the physician practice when deciding on remediation for violations. The bill then gained CMA's support.

"It allows some customization to make sure the goal is to educate and train and make sure the physician can meet the requirement of the law," said Teresa Kline, associate director for CMA Government Relations. The CMA issued no opinion on the Senate bill.

The American Medical Association has not analyzed the California bills. It has policy supporting patient privacy that instructs physicians to obtain patient permission before releasing information to the media or any other unauthorized person not involved with the care of that patient.

Privacy experts say many physicians haven't done much beyond drafting a policy, and enforcement of HIPAA's privacy and security rules has been virtually nonexistent. Enforcement is the responsibility of the Office of Civil Rights, which receives no budget for enforcement activities.

In an October report to the Centers for Medicare & Medicaid Services, Inspector General Daniel R. Levinson wrote that "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that [electronic personal health information] was being adequately protected."

Richard Cauchi, health program director for the National Conference of State Legislatures, expects to see federal legislation introduced that will address these issues, but expects more states to take matters into their own hands first. The NCSL is a bipartisan research group that does not take positions on legislative matters.

"I think there is a possibility for federal laws to change. But there is a different pace of action for federal laws. Whereas states can look at something and if there is desire for change ... states can act quickly and achieve bipartisan consensus in a short period of time," he said.

Back to top


Eye on snooping

Six reports by the California Dept. of Public Health found snooping at the University of California, Los Angeles, Medical Center was worse than first thought. The incidents involve more than 100 employees and more than 1,000 patients. Summaries are paraphrased from the reports:

April 4 report stemming from March 17 investigation: An audit found six employees inappropriately accessed a celebrity's records in September 2005. The same celebrity was admitted on Jan. 31, and a total of 55 employees, including eight physicians, inappropriately accessed the patient's old file from September 2005. Hospital admits on March 17 that the incidents were not reported to Dept. of Public Health, as required by state law.

April 4 report stemming from March 18 investigation: Nineteen hospital personnel and five medical staff inappropriately accessed a celebrity record and that of her child between Sept. 14, 2005, and Sept. 15, 2005. One employee attempted to access inappropriately the files of the same celebrity on Jan. 1 but instead found the celebrity's September 2005 file.

April 28 report stemming from April 3 investigation: An investigation found one employee accessed the records of 61 patients from July 1, 2006, to May 21, 2007. Some were celebrities, others were hospital employees. The offender was authorized to access the files but had no reason to do so. A co-worker's ID and password were used in more than half the incidents. The same investigation found 13 other employees (including three physicians) accessed one celebrity's records between July 1, 2006, and May 21, 2007. At least one employee accessed records from home after the patient was released.

July 3 report stemming from May 16 investigation: Two employees accessed a celebrity's record in May 2005 and again in November 2005. Another employee accessed the same celebrity's file 21 times between Oct. 28, 2004, and Nov. 9, 2004. It was later found the same employee accessed the files of 939 patients between April 13, 2003, and May 21, 2007. Three employees looked at the record of a celebrity who was in the hospital's emergency department on April 18.

Source: California Dept. of Public Health; (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn