California Logs 2,500 Breach Reports in 2009
On January 1, 2009, the nation’s toughest breach notification law took effect in California, where providers were required to report any breach of protected health information to the patient and the state within five business days.
The state government was flooded with breach notifications, receiving 2,490 reports of breach incidents through December 31, 2009, according to the California Department of Public Health, Center for Health Care Quality (CDPH), which is responsible for collecting the notices and investigating cases.
Of the cases reported, CDPH has completed 1,291 investigations, with all but 120 confirmed as privacy breaches. At year’s end, 484 cases were still under investigation, and the balance were pending investigation.
The vast majority of all reported breaches – 2,290 – were unintentional, typically involving business mistakes, says Kathleen Billingsley, CDPH deputy director. The most common incident reported involved patient health information accidentally sent to the wrong destination; for example, a patient’s chart faxed to the wrong Dr. Smith.
However, of the confirmed breaches, 96 occurred due to malicious, intentional acts by healthcare workers, an average of 8 per month.
“Higher Standard,” Better Safeguards Needed
The number of reported malicious breaches came as a personal surprise to Billingsley, who has a nursing background. “I’m surprised at the lengths people will go to try to access information that they are not authorized to access,” she says. “Some individuals will actually go and get a new password and use a separate computer in order to view information.”
Other malicious cases involved healthcare employees looking at unattended records, searching patient’s billing information, and reviewing their lab results. In addition to an educational reminder that “we need to hold ourselves to a higher standard as healthcare workers,” Billingsley says these breaches show changes to EHR systems are needed to better prevent unauthorized access to patient records.
A Year of Interpretation and Clarification
CDPH spent part of the last year interpreting state law and educating providers on exactly what type of breach incidents should be reported. This was the department’s biggest challenge in implementing the landmark breach notification law, Billingsley says.
In July CDPH sent a letter to all healthcare providers clarifying parts of the breach notification law. In that letter, Billingsley stated that healthcare organizations do not need to submit a notification if the incident involved a misdirected internal paper record, e-mail, or fax that was sent to another healthcare worker within the same facility.
For example, “If I wanted to fax something to the lab, but inadvertently I push a button and it goes to radiology instead,” Billingsley says. “We received a multitude of those.”
Billingsley’s letter was in response to the “overwhelming” number of these types of incidents being reported to CDPH, who felt these cases presented a low risk to the patient and did not warrant a state investigation under current law, Billingsley says.
However, she was surprised by the high number of these incidents, and she wrote in the letter that facilities should review their internal policies and procedures to prevent similar occurrences in the future.
Cautious with Fines
Depending on the severity of the breach, providers can be fined up to $25,000 per patient for the initial breach, and $17,500 for each subsequent breach. Penalties can reach up to $250,000 per incident. Further, CDPH can refer cases to the California Office of Health Information Integrity (CalOHII), which can conduct its own investigation and both fine specific individuals as well as refer them to their professional licensing boards for additional sanctions.
CDPH was cautious in issuing fines during the first year, because the department was fine-tuning its process, Billingsley says.
The department issued $437,500 in fines to healthcare providers in 2009. All of those fines were assessed in two cases against Los Angeles-based Kaiser Permanente Bellflower Hospital, which was involved in a breach of “Octomom” Nadya Suleman’s medical records.
The pace of fines will pick up in 2010, Billingsley says, with new penalty announcements pending.