A breach of octuplet mom Nadya Suleman’s medical records has resulted in multiple firings and sanctions at a California hospital, according to the Los Angeles Times. The breach is an early test of California’s stringent new privacy laws.
Kaiser Permanente reported firing 15 employees and disciplining eight others for peeking at Suleman’s medical records. The breaches at Kaiser’s Bellflower Medical Center near Los Angeles were discovered approximately two weeks ago and reported to the California Department of Public Health and to Suleman, said Kaiser spokesman Jim Anderson.
The employees “ran the gamut of medical staff,” Anderson said. Kaiser does not believe the employees intended to sell or disclose the information. The hospital had stepped-up efforts to shield Suleman’s records from employees who had no medical reason to access them.
The breach comes just three months after the enactment of new state privacy laws that authorize the California Department of Public Health to investigate health information privacy breaches and fine facilities up to $25,000 per patient. Organizations must notify both CDPH and the patient of a privacy breach within five days of detection. A separate, companion law enables the state to investigate and fine the individuals involved.
In this month’s Journal, Cassi L. Birnbaum, director of health information and privacy officer at Rady Children’s Hospital of San Diego, describes the new laws and her organization’s method for assessing and ensuring their readiness for them.
The healthcare industry lacks a standard for sanctioning staff on unauthorized access, and varying policies and inconsistent applications hamper privacy and security efforts as well as generate consumer mistrust. Next month’s Journal offers guidance on how organizations can create meaningful and consistent breach sanction policies. Look for the practice brief “Sanction Guidelines for Privacy and Security Breaches” in the May issue.