CDPH Fines Nine Hospitals $915,100

Facilities Penalized For Breaches of Patient Health Data
Ron Shinkman

The California Department of Public Health (CDPH) has levied penalties and fines against nine hospitals totaling $915,100 for breaching state patient confidentiality laws.

The penalties, which ranged from $2,500 to $250,000, were for incidents that occurred between 2011 and 2013. All of the incidents involved employees who were either negligent handling records or deliberately violated rules for the purpose of obtaining personal or workplace information. 

Under California law, the agency has the ability to fine a healthcare provider up to $25,000 for each specific breach of patient healthcare information. The financial penalties levied are usually based on the severity of the breach and the violator's ability to pay the fine.

Altogether, CDPH has fined 16 hospitals more than $2 million in 2015 to date.

The most serious breach among the nine most recently disclosed by CDPH involved Los Angeles County-Harbor UCLA Medical Center for a 2012 incident involving a clerical employee. The employee had either thrown away the medical records of 246 patients or hid them away in her work area due to what the CDPH report termed as “laziness.” Transit workers discovered some of the records in a trash receptacle at a bus stop. The employee's supervisor was unaware nothing was amiss, even though she had apparently greatly exceeded the hourly quotas for filing documents.

UCLA-Harbor was fined $250,000 for the incident, which is generally the maximum CDPH will impose on a violator. The hospital also agreed to a remediation policy by more closely monitoring what documents need to be filed. The employee was transferred to another department where she did not have to file any patient documents, records show. A spokesperson from the Los Angeles County Department of Health Services said all patients were notified and the employee was “discharged from county service.”

Lucile Salter Packard Children's Hospital in Palo Alto was also fined $250,000 for a 2012 incident in which a physician who had transferred data of 45 patients to an unencrypted flash drive lost the device. There was no evidence that the patient data was actually compromised in any way, records show.

Dominican Hospital in Santa Cruz was fined $247,600 for a 2013 incident in which a nurse working in the radiology department had coaxed a colleague to look up specific patient logs to determine who had been assigned to work on days the employee had been scheduled to work but was told not to report. Altogether, it was determined that the health information of 29 patients was breached. A significant portion of the penalty was due to the fact that Dominican officials were aware that the patients' records had been breached but notification was not sent within five days of its discovery so staff could conduct an investigation. The nurse was disciplined and received refresher training but was not terminated.

Queen of the Valley Medical Center in Napa was fined $77,500 for a 2011 incident in which a hospital employee was admitted to the intensive care unit. Five hospital employees – including one who had worked for the facility for 50 years -- looked up the patient's medical records to determine the reasons behind the admission. At least one employee said the action was an “emotional response” and knew it was wrong immediately, and another said they did so to determine how the patient was doing. Another said they had accessed the record accidentally, and another said another employee might have accessed the record while they had left their work station. Two of the employees received brief suspensions, and all received counseling.

Stanford Hospital & Clinics was fined $50,000 for a 2013 incident when a physician authoring a textbook inadvertently sent to his publisher for formatting two images that contained patient names and diagnoses. The physician immediately reported the breach, and it was determined likely that no one actually saw the images in question. The physician received additional training in de-identifying patient information.

San Francisco General Hospital was fined $25,000 for a 2012 incident in which a hospital employee accessed patient records in order to obtain an address of a former boyfriend to serve him court papers. The patient complained when she received an envelope addressed to her but at her boyfriend's address. 

The CDPH report said the action was “an intentional and malicious breach of protected health information.” The employee was suspended and later resigned. She is barred from seeking employment with the city and county of San Francisco. 

Two Planned Parenthood clinics in Northern California were fined a total of $5,000 for two separate breaches. Planned Parenthood of the North Valley in Chico was fined $2,500 for a 2011 incident in which an employee looked up the medical record of a woman who had previously dated her boyfriend. The employee then sent anonymous texts to the patient about her medical record. The employee was fired.

Planned Parenthood Napa Center was fined $2,500 for a 2012 incident in which a receptionist looked up the results of a patient's pregnancy test out of curiosity. The receptionist then notified a patient's family member of the results. The receptionist was immediately terminated

According to the CDPH, it has issued administrative penalties to 90 hospitals accompanied by fines totaling just under $8.6 million. Of that sum, $4.035 million has been collected. A total of 20 penalties are being appealed by hospitals, including the recent citations to Queen of the Valley Medical Center, Sierra Nevada Memorial Hospital, Lucille Packard Children's Hospital at Stanford, Stanford Hospital, and Dominican Hospital.

News Region: 
California
Keywords: 
CDPH, hospitals, privacy breach