Laws bolster penalties for privacy breaches in California
■ In the wake of multiple high-profile cases of snooping, the state cracks down on unauthorized looks at medical files.
- WITH THIS STORY:
- » Eye on snooping
Eyes will be on California starting next year, but they won't be peeking into medical records.
At least that's Gov. Arnold Schwarzenegger's hope; in September he signed into law two bills that put some teeth into patient privacy rules and give doctors good reason to comply.
Under the new laws taking effect Jan. 1, 2009, the state has significantly increased fines not only for the illegal use of medical records but also for unauthorized access of records. The laws also open the door for patients to sue doctors when their records are accessed, even if there is no damage.
Other states have privacy laws that require notification of a breach, but the California bills are thought by experts to be the first to place a strong focus on enforcement.
Experts predict California's actions will lead to more states following suit, as well as tougher enforcement of HIPAA privacy and security rules, which have gone largely unenforced since they took effect in 2003 and 2005, respectively.
For physicians, "the idea behind all this is don't wait until the 500-pound gorilla is pounding on your door," said attorney Peter MacKoul, president of Sugar Land, Texas-based HIPAA Solution, a consultancy that helps practices become HIPAA-compliant. "It's called preventative action."
About the same time the California governor signed the two patient privacy bills into law, a report published by the California Health Dept. found snooping incidents at the UCLA Medical Center were much worse than initially thought. The study found that since 2003, hospital workers inappropriately accessed the electronic medical records of 1,041 patients, including those of California first lady Maria Shriver. Some of those employees were feeding celebrity information to the media, the report said.
Both of the new state laws require that medical facilities safeguard patient records and implement controls that would prevent not only malicious theft of patient information but also unauthorized access.
Under SB 541, if a snooping incident like those at UCLA occurs, the hospital must notify the patient within five days and if it fails to do so, fines of $100 per patient per day can be imposed, up to a total of $250,000.
Under AB 211, which deals with individual physicians and other health care professionals, patients can collect damages up to $1,000. And licensed health care workers who violate the law could receive a civil penalty of up to $25,000 per violation; any person or entity that uses records for financial gain could received a penalty up to $250,000. SB 541 also created the Office of Health Information Integrity, which will be responsible for the enforcement of the laws.
The California Medical Assn. initially rejected AB 211 for being too vague. Amendments were made to allow enforcement officials to consider the size and complexity of the physician practice when deciding on remediation for violations. The bill then gained CMA's support.
"It allows some customization to make sure the goal is to educate and train and make sure the physician can meet the requirement of the law," said Teresa Kline, associate director for CMA Government Relations. The CMA issued no opinion on the Senate bill.
The American Medical Association has not analyzed the California bills. It has policy supporting patient privacy that instructs physicians to obtain patient permission before releasing information to the media or any other unauthorized person not involved with the care of that patient.
Privacy experts say many physicians haven't done much beyond drafting a policy, and enforcement of HIPAA's privacy and security rules has been virtually nonexistent. Enforcement is the responsibility of the Office of Civil Rights, which receives no budget for enforcement activities.
In an October report to the Centers for Medicare & Medicaid Services, Inspector General Daniel R. Levinson wrote that "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that [electronic personal health information] was being adequately protected."
Richard Cauchi, health program director for the National Conference of State Legislatures, expects to see federal legislation introduced that will address these issues, but expects more states to take matters into their own hands first. The NCSL is a bipartisan research group that does not take positions on legislative matters.
"I think there is a possibility for federal laws to change. But there is a different pace of action for federal laws. Whereas states can look at something and if there is desire for change ... states can act quickly and achieve bipartisan consensus in a short period of time," he said.