The Spirit of Holiday Giving, er, Penalties…
The California Department of Public Health (CDPH) will be collecting a whopping $667,000 in administrative fines and penalties from six hospitals charged with privacy violations. The CDPH imposed penalties ranging from $5,000 to $250,000 on the hospitals under new privacy and confidentiality regulations enacted in 2008 aimed at cracking down on widespread patient privacy violations. Under the new legislation, penalties may be assessed for violations up to $25,00 per patient whose information was accessed, used or disclosed improperly and up to $17,500 for subsequent violations.
By far the most astounding of violations was Kern Medical Center which was hit with a $250,000 penalty after the theft of laboratory reports from storage lockers used for distribution of the reports. A staff member had placed daily laboratory reports in storage lockers that were no longer on the premises of the hospital but outside and accessible to the general public. He was aware that the locks were not functioning and that the locker door was broken, a condition that the storage locker had been in for several months. Although the Privacy Officer alleged that keeping the reports in the outside lockers was not a hospital permitted practice, it appeared to have been occurring for some time. Another hospital was assessed a $225,000 penalty for failing to prevent unauthorized access and use of patient information by a hospital employee who had memorized the information while purging older hospital records in order to help other individuals open fake Verizon accounts.
The imposition of these fines and penalties impress even out-of-state hospitals with the importance of securing both paper and electronic health information. From safeguarding computer printouts such as laboratory reports to preventing unauthorized access to or uses of electronic health information, hospitals must be vigilant and proactive in safeguarding patient information. Not only must hospitals monitor access to and uses of patient information, but they must also continue to educate and re-educate staff on confidentiality and security policies, conduct periodic audits and physical security sweeps, and strictly enforce all policies by imposing sanctions where appropriate.
The full CDPH press release may be found at http://www.cdph.ca.gov/Pages/NR10-92.aspx.