The Los Angeles Times’ Patrick McGreevy reports on the California Legislature’s response to multiple reports throughout 2008 of unauthorized access to medical records. According to some reports, Governor Schwarzenegger has taken a personal interest in the new legislation after his wife, Maria, was among several celebrity patients whose records were accessed, leaving little doubt that the bills will be signed into law and will take effect as planned in January 2009.
One of the bills, A.B. 211, establishes a new agency, the Office of Health Information Integrity (OHII), and empowers it to levy administrative penalties against healthcare providers (individuals and entities) for violations of new Health & Safety Code § 130203, which requires “[e]very provider of health care” to “implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information” and to “reasonably safeguard confidential medical information from any authorized access or unlawful access, use or disclosure.” OHII is authorized to impose penalties established in the Confidentiality of Medical Information Act (Civil Code § 56 et seq.) for violations. OHII is also authorized to send recommendations and evidence to the Medical Board (or other appropriate licensing entity) for “further investigation or discipline,” which transmissions will be deemed “investigative communications,” protected under Government Code § 6254.
The other bill, S.B. 541, creates a new administrative penalty for hospitals, home health agencies, hospices and licensed clinics that fail to “prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information.” The penalty for violation is $25,000 per patient, with a cap of $250,000 “per reported event.” The fine is to be levied by the Department of Health Care Services (DHCS), which must consider a number of factors, including the provider’s history of compliance, the extent to which the provider detected violations and took steps to immediately correct and prevent past violations from reoccurring, and factors beyond the provider’s immediate control that restricted the facility’s ability to comply with the law. In addition, once the provider determines that a violation has occurred, the provider must notify both DHS and the patient(s) whose medical information was unlawfully accessed, used or disclosed within five days following the provider’s discovery of the access, use or disclosure. Failure to notify the patient in a timely manner can result in penalties of $100 per day until notification (up to the cap of $250,000).
Recommended Action: Providers need to ensure that safeguards are in place to prevent breaches to patient confidentiality. Until the UCLA Medical Center cases, snooping into medical records had failed to attract serious attention. In light of the sustained public interest and resulting governmental attention to the issue of invasions of patient privacy, it is reasonable to expect a surge in patient complaints and in investigations and enforcement actions by the newly created OHII, the Medical Board, and other licensing agencies. Providers need to ensure that they are in strict compliance with the requirements of HIPAA and the CMIA.
Harry Nelson is a partner in Fenton & Nelson, LLP. Fenton & Nelson counsels healthcare providers on HIPAA, CMIA, and other compliance issues. For additional information, please contact Fenton & Nelson at harry@fentonnelson.com
©Harry Nelson 2008
