Analysis Finds Inconsistent Enforcement of Calif. Privacy Law
The California Department of Public Health has inconsistently enforced a 2008 state law (SB 541) aimed at strengthening privacy protections for patients, ProPublica reports.
The findings are based on a ProPublica analysis of state data on:
- Privacy deficiencies cited against California hospitals since Jan. 1, 2012; and
- Fines levied against hospitals since the law took effect (Ornstein, ProPublica, 12/31/15).
Background on SB 541
In September 2008, then-Gov. Arnold Schwarzenegger (R) signed SB 541 to increase fines for privacy breaches and require medical facilities to take steps to protect patient records. The law took effect Jan. 1, 2009 (California Healthline, 11/26/08).
Since then, DPH has levied more than 100 fines against hospitals and clinics totaling more than $10.7 million. In the last four years, inspectors have cited hospitals more than 3,700 times, according to ProPublica.
Findings
Overall, the analysis found inconsistent enforcement of the law.
According to the analysis, the facilities with the most privacy deficiencies included:
- Eisenhower Medical Center in Rancho Mirage, with 278;
- Riverside County Regional Medical Center in Moreno Valley, with 120;
- UC-San Francisco Medical Center, with 108;
- Contra Costa Regional Medical Center in Martinez, with 101; and
- Santa Clara Valley Medical Center in San Jose, with 83.
However, the most-cited hospitals did not necessarily receive the most fines.
For example, Eisenhower Medical Center and Riverside County Regional Medical Center have never been fined under the state law, according to ProPublica. Meanwhile, San Francisco General Hospital -- which ranked 37th in total violations since 2012 -- received the most fines.
According to ProPublica, the discrepancies are greatest in Los Angeles County, where the county health department inspects health facilities on behalf of DPH. The department only issues citations if breaches are deemed "intentional, malicious or widespread," or if the facilities lack processes to prevent repeat breaches.
Kaiser Permanente, which operates hospitals in and outside of Los Angeles County, has experienced such discrepancies. For example, Kaiser's Sacramento and South Sacramento facilities have both received more than 10 citations. Kaiser's flagship location in Los Angeles has had no citations, despite reporting breaches to the state.
Meanwhile, the number of citations does not necessarily reflect whether hospitals are "systematically" violating privacy laws, according to ProPublica.
For example, a Ronald Reagan UCLA Medical Center spokesperson said the facility has reported 164 privacy breaches to DPH since July 2013 but has not received any citations since 2012.
DPH's Response
In a statement, DPH acknowledged the inconsistencies in enforcement, noting that it can take a long to time to assess fines because of the department's workload and "multiple layers of review."
DPH spokesperson Anita Gore said the agency plans to address such issues by:
- Hiring more inspectors; and
- Offering them more training.
She said, "Medical and personal information breaches are a serious issue and are treated as such."
Hospitals' Reaction
Several hospitals said they were not aware of their rank in terms of privacy breaches or why there were inconsistencies in enforcement of the law.
Michael Appelhans, general counsel at Eisenhower Medical Center, said, "I don't know why we would be No. 1 [in citations] except we do have a very strong program" for identifying and reporting violations.
Meanwhile, Riverside University Health System in a statement said it has implemented "a series of corrective actions aimed at ensuring compliance" with the state law. For example, it has:
- Hired leaders to develop a "robust compliance" program;
- Allocated more money to the compliance effort;
- Bought new training software; and
- Hired a contractor to conduct a HIPAA security risk assessment (ProPublica, 12/31/15).