BUSINESSLaws bolster penalties for privacy breaches in CaliforniaIn the wake of multiple high-profile cases of snooping, the state cracks down on unauthorized looks at medical files.By Pamela Lewis Dolan, amednews staff. Dec. 1, 2008. Eyes will be on California starting next year, but they won't be peeking into medical records. At least that's Gov. Arnold Schwarzenegger's hope; in September he signed into law two bills that put some teeth into patient privacy rules and give doctors good reason to comply.
Under the new laws taking effect Jan. 1, 2009, the state has significantly increased fines not only for the illegal use of medical records but also for unauthorized access of records. The laws also open the door for patients to sue doctors when their records are accessed, even if there is no damage. Other states have privacy laws that require notification of a breach, but the California bills are thought by experts to be the first to place a strong focus on enforcement. Experts predict California's actions will lead to more states following suit, as well as tougher enforcement of HIPAA privacy and security rules, which have gone largely unenforced since they took effect in 2003 and 2005, respectively.
California law requires hospitals to notify patients within 5 days if their medical records are inappropriately accessed.
For physicians, "the idea behind all this is don't wait until the 500-pound gorilla is pounding on your door," said attorney Peter MacKoul, president of Sugar Land, Texas-based HIPAA Solution, a consultancy that helps practices become HIPAA-compliant. "It's called preventative action." About the same time the California governor signed the two patient privacy bills into law, a report published by the California Health Dept. found snooping incidents at the UCLA Medical Center were much worse than initially thought. The study found that since 2003, hospital workers inappropriately accessed the electronic medical records of 1,041 patients, including those of California first lady Maria Shriver. Some of those employees were feeding celebrity information to the media, the report said. Both of the new state laws require that medical facilities safeguard patient records and implement controls that would prevent not only malicious theft of patient information but also unauthorized access. Under SB 541, if a snooping incident like those at UCLA occurs, the hospital must notify the patient within five days and if it fails to do so, fines of $100 per patient per day can be imposed, up to a total of $250,000. Under AB 211, which deals with individual physicians and other health care professionals, patients can collect damages up to $1,000. And licensed health care workers who violate the law could receive a civil penalty of up to $25,000 per violation; any person or entity that uses records for financial gain could received a penalty up to $250,000. SB 541 also created the Office of Health Information Integrity, which will be responsible for the enforcement of the laws. The California Medical Assn. initially rejected AB 211 for being too vague. Amendments were made to allow enforcement officials to consider the size and complexity of the physician practice when deciding on remediation for violations. The bill then gained CMA's support.
Patients in California can collect damages up to $1,000 if their medical records are inappropriately accessed.
"It allows some customization to make sure the goal is to educate and train and make sure the physician can meet the requirement of the law," said Teresa Kline, associate director for CMA Government Relations. The CMA issued no opinion on the Senate bill. The American Medical Association has not analyzed the California bills. It has policy supporting patient privacy that instructs physicians to obtain patient permission before releasing information to the media or any other unauthorized person not involved with the care of that patient. Privacy experts say many physicians haven't done much beyond drafting a policy, and enforcement of HIPAA's privacy and security rules has been virtually nonexistent. Enforcement is the responsibility of the Office of Civil Rights, which receives no budget for enforcement activities. In an October report to the Centers for Medicare & Medicaid Services, Inspector General Daniel R. Levinson wrote that "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that [electronic personal health information] was being adequately protected." Richard Cauchi, health program director for the National Conference of State Legislatures, expects to see federal legislation introduced that will address these issues, but expects more states to take matters into their own hands first. The NCSL is a bipartisan research group that does not take positions on legislative matters. "I think there is a possibility for federal laws to change. But there is a different pace of action for federal laws. Whereas states can look at something and if there is desire for change ... states can act quickly and achieve bipartisan consensus in a short period of time," he said. ADDITIONAL INFORMATION:Eye on snoopingSix reports by the California Dept. of Public Health found snooping at the University of California, Los Angeles, Medical Center was worse than first thought. The incidents involve more than 100 employees and more than 1,000 patients. Summaries are paraphrased from the reports: April 4 report stemming from March 17 investigation: An audit found six employees inappropriately accessed a celebrity's records in September 2005. The same celebrity was admitted on Jan. 31, and a total of 55 employees, including eight physicians, inappropriately accessed the patient's old file from September 2005. Hospital admits on March 17 that the incidents were not reported to Dept. of Public Health, as required by state law. April 4 report stemming from March 18 investigation: Nineteen hospital personnel and five medical staff inappropriately accessed a celebrity record and that of her child between Sept. 14, 2005, and Sept. 15, 2005. One employee attempted to access inappropriately the files of the same celebrity on Jan. 1 but instead found the celebrity's September 2005 file. April 28 report stemming from April 3 investigation: An investigation found one employee accessed the records of 61 patients from July 1, 2006, to May 21, 2007. Some were celebrities, others were hospital employees. The offender was authorized to access the files but had no reason to do so. A co-worker's ID and password were used in more than half the incidents. The same investigation found 13 other employees (including three physicians) accessed one celebrity's records between July 1, 2006, and May 21, 2007. At least one employee accessed records from home after the patient was released. July 3 report stemming from May 16 investigation: Two employees accessed a celebrity's record in May 2005 and again in November 2005. Another employee accessed the same celebrity's file 21 times between Oct. 28, 2004, and Nov. 9, 2004. It was later found the same employee accessed the files of 939 patients between April 13, 2003, and May 21, 2007. Three employees looked at the record of a celebrity who was in the hospital's emergency department on April 18. Source: California Dept. of Public Health; (www.cdph.ca.gov) Copyright 2008 American Medical Association. All rights reserved.
|
Featured stories     
« Prev
1
2
3
4
5
6
Next »
Current topicsMost-viewed
This weekUnspent war funds eyed to avoid years of Medicare doctor pay cuts Rite Aid clinics place new twist on "doc-in-a-box" Get our email alertsUse our one-step registration. Learn more Your information will not be shared. Privacy policyColumns and series
From the vaultQuotable"Our goal really is to provide the right care for patients at the right time. Not too much and not too little." Steven Weinberger, MD, co-author of a list developed by the American College of Physicians of 37 clinical situations in which screenings and medical tests provide little or no benefit |
|||||||||
SHARE
