First enforcement of new California medical privacy provisions: $250,000 fine imposed

On May 14, 2009, the California Department of Public Health issued an Administrative Penalty Notice to the Kaiser Foundation Hospital — Bellflower for patient medical information privacy violations. Although the state did not identify the affected patient by name, the facts and circumstances described in the Notice correspond to the case of Nadya Suleman, the single mother of six who gave birth to octuplets at Bellflower in January 2009. The hospital was fined $250,000 for failure to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information as required by new provisions recently added to California’s Health and Safety Code. California law also requires health care providers and facilities to notify the Department of any unlawful or unauthorized access to patient medical information within five days of detecting such access. These provisions were reportedly enacted in the wake of several high-profile health data compromises at California health care facilities involving celebrities such as Farrah Fawcett, Britney Spears and California first lady Maria Shriver.  

Since California’s new privacy provisions came into effect on January 1, 2009, hospitals have reported approximately 300 incidents of inappropriate or unauthorized disclosure of patient information. The Bellflower facility is the first to be sanctioned. Whereas other reported breaches have tended to be inadvertent or negligent in nature, in this case, the agency found that the violations were deliberate, extended beyond the Bellflower facility, and continued even after Kaiser informed regulators that it had suffered a breach. The penalties applicable to Kaiser exceeded the statutory maximum of $250,000 per reported incident, including a $25,000 fine per patient whose medical information was unlawfully accessed (one, in this case), plus a $17,500 fine for each of the 22 subsequent occurrences of unlawful or unauthorized access to that patient’s medical information. Kaiser may appeal the penalty by requesting a hearing within 10 calendar days of notification.  

In addition to the monetary penalty, Kaiser was subject to an exit conference with state inspectors who visited the facility to determine compliance with state licensing regulations. Kaiser is required to submit a plan of correction for each deficiency noted, including: (1) how each correction will be accomplished, both temporarily and permanently; (2) the title or position of the person responsible for corrections; (3) a description of the monitoring process that will be implemented to prevent recurrence of deficiencies; and (4) the date the deficiency will be corrected. Kaiser must provide the plan within 15 calendar days of receiving the agency’s statement of deficiencies (issued May 14, 2009), and “immediate correction of the deficiency” is expected to occur no more than 30 days from the date of the exit conference.  

The Administrative Penalty Notice is available here.