Reports of health record breach violations have been pouring into the California Department of Public Health since the state began requiring healthcare entities to report all incidents of unauthorized record access.

More than 800 reports have been filed since the law took effect January 1, according to Kathleen Billingsley, RN, deputy director of the California Department of Public Health, Center for Health Care Quality (CDPH). The agency has conducted dozens of investigations to date, she says. 

The new laws have raised eyebrows across the country, and have positioned California as a “leader in medical privacy,” Billingsley says. Meanwhile healthcare providers have been scrambling to institute policies that adhere to the new—some say overly strict— requirements.

Reporting Any and All Improper Disclosures

In 2008 California legislators passed SB 541, which gave CDPH power to investigate and fine organizations for data breaches. Companion legislation, AB 211, created the California Office of Health Information Integrity (CalOHII) and gave the office power to fine individuals for data breaches and refer them to professional licensing boards.

Beginning January 1 of this year, healthcare organizations in California are required to report any unauthorized access to a patient’s personally identifiable health information—intentional or unintentional.

“The message we want to send is that it is no longer acceptable to view patient’s medical records or to disclose them without having authorization to see those records…” Billingsley says. “It is a major, major change in the healthcare industry.”

CDPH investigators had a backlog of investigations from the start. CDPH received 823 breach incident reports from January 1 to May 31, the latest numbers available. Of those cases, 122 have received a full investigation, with 116 confirmed as breaches. There were 232 cases that had ongoing investigations, and 469 reported breaches were pending an investigation. While most of the incident reports come through self-reporting by providers, CDPH also fields patient complaints regarding breaches.

CDPH officials were initially surprised by the high number of breach incident reports they received, Billingsley says. They expect the number to increase over time as people become more familiar with what needs to be reported.

The types of reported breaches vary from unintentional breaches, such as faxing a patient’s chart to the wrong Dr. Jones, to facility employees purposefully snooping in a patient’s record.

This latter type of breach occurred earlier this year at Los Angeles-based Kaiser Permanente Bellflower Hospital, when “Octomom” Nadya Suleman’s medical records were inappropriately accessed by 23 hospital employees. In May Kaiser Permanente received the only CDPH fine to date—the $250,000 maximum allowed under the new law.

Intentional breach cases have been rare, Billingsley says. Most reported breaches to date have been the result of errors.

The Investigative Process

Determining what corrective action should be required for a breach starts with a formal CDPH investigation. Once a facility discovers a privacy breach it has five days to notify the patient and the local CDPH Licensing and Certification office.

State investigators triage incoming notifications and patient complaints, investigating the most serious cases first. In most cases, investigators conduct an on-site investigation and issue a formal report to the facility. If a violation has occurred, organizations have 10 days to submit a correction plan that will prevent similar incidents.

Investigators determine fines based on multiple factors, including the facility’s history of breach law compliance, its actions upon discovery of the breach, and the steps it has taken to prevent or correct the situation.

Individual Fines Possible

After CDPH concludes its investigation, it may refer the case to CalOHII, which has the authority to fine the individuals involved and refer them to their professional licensing board for disciplinary action.

CDPH had referred 125 cases to CalOHII as of June 30, according to Alex Kam, CalOHII director. One of those cases is the Kaiser breach case, which Kam said is one of the first being reviewed by investigators. Originally called the Office of HIPAA Implementation, CalOHII took on its new name and added responsibilities under AB 211 legislation in August 2008.

CDPH refers cases to CalOHII if it determines that an individual contributed to or benefited from a privacy breach. Fines for individuals can reach up to $250,000, depending on the severity and extent of personal harm caused by the breach. In June, CalOHII was preparing to conduct its first official investigations and had not yet issued any individual fines.

Both CDPH and CalOHII created their enforcement programs from scratch. Nationally, HIPAA has rarely been enforced, so a true privacy breach enforcement model did not exist. Since the state laws went into effect in January, CalOHII has been busy formalizing complaint, investigation, and referral processes. The active investigation of individuals suspected in data breach incidents was expected to begin in July, Kam says, though in the months prior CalOHII staff were examining cases and preparing formal investigations.

Kaiser’s Fine Sends a Message

Healthcare entities scrambled to understand the new laws and evaluate their privacy and security processes against them. But the $250,000 fine against Kaiser Permanente sent a shock through facilities across the state.

Many providers have since had conversations about how to prevent a similar incident from occurring at their facilities, says Gerry Hinkley, JD, a healthcare lawyer and partner with Davis Wright Tremaine LLP, based in San Francisco. Many in California healthcare law were surprised by the size of the Kaiser fine. “That got people’s attention,” Hinkley says.

In its report on the case, CDPH investigators faulted Kaiser for not doing enough to lock down Suleman’s record once it discovered the first improper viewings. Kaiser added a notice at the top of Suleman’s record warning employees that they required authorization and a valid need in order to access medical records, according to CDPH’s report. The warning did not prevent additional breaches.

These missteps provided a lesson to officials at Rady Children’s Hospital of San Diego, says Cassi Birnbaum, RHIA, CPHQ, director of health information and privacy officer. “We are in the final phases of designing our new EHR system, so we certainly are looking at some of those items and figuring out what we can do to safeguard things here,” she says.

The Kaiser Permanente case highlighted the need for better access management controls. Hinkley notes that organizations should ensure their electronic health record systems have the appropriate levels of authentication. “I’m aware of hospitals where everybody on the medical staff can look at everybody’s medical record,” he says. “That doesn’t make any sense.”

Rady has sent out several breach notifications under the new California law since January, according to Birnbaum. All of them were due to inadvertent disclosures, such as a fax being sent to the wrong number. Rady has not been fined, but the organization has been required to submit corrective course of action plans after each incident.

While Rady has been able to meet the five-day notice requirement, Birnbaum says staff have been rushed to prepare the breach notification.

Hinkley describes the five day limit as “unrealistic.” Healthcare officials have found that five days is sometimes not enough time to know what patients are affected or even to prepare a proper notification, he says. By contrast, most states with breach notification laws require organizations to send notices “without reasonable delay.” ARRA as drafted requires facilities to notify patients within 60 days.

“Good Things” Come from Oversight

California’s new laws are coming at a pivotal time for healthcare, says CalOHII’s Kam. “The transition to the electronic health record world is going to occur very quickly now as money starts coming out of the HITECH portion of ARRA [the American Recovery and Reinvestment Act],” he says. “And we feel it is really critical that there is consumer confidence in the privacy and security protections that come along with that change.”

Billingsley believes the new laws are making a difference. Organizations are instituting corrective actions to ensure future breaches do not occur, such as processes to ensure fax numbers are correct before sending out health records. They also are working to change culture so unauthorized peeping at records is curbed.

In the end, the goal is to protect patients and hold healthcare professionals responsible for protecting privacy, Billingsley says.

“We want to make sure that hospitals put safeguards in place so patients, for example, don’t go home with someone else’s discharge order,” she says. “And I can safely say I bet the hospital where this may have taken place has probably taken some pretty aggressive action to prevent that in the future.

“So, good things come out of monitoring and oversight.”