Kaiser Permanente's Bellflower hospital in California was slapped a fine of $250,000 Thursday for allowing its †employees access to the personal records of Nadya Suleman, the octuplet mom. The fine is the first monetary penalty imposed and largest allowed under a new state law on violation of privacy.
Previously the †UCLA Medical Center was in the eye of a storm over the leaking of the medical records of such celebrities as Farrah Fawcett, Britney Spears as California First Lady Maria Shriver..
The new law that came into force on January 1 allows the Department of Public Health to impose fines against healthcare facilities of up to $25,000 per patient for the first violation and $17,500 for each additional violation, up to $250,000. A separate law allows fines to be imposed against individual healthcare workers.
The state Department of Public Health found that breaches of Suleman's records extended beyond the Bellflower hospital and continued even after Kaiser first informed regulators it had suffered a breach. Eight workers at other Kaiser hospitals and the chain's regional office were among those implicated, said Kathleen Billingsley, deputy director of the Public Health Department's Center for Health Care Quality.
The steps Kaiser took to protect Suleman's privacy were not aggressive enough, Billingsley and other state health officials said.
"It's the hospital's job to prevent these breaches from occurring, not just crack down after the fact," said Kim Belshť, secretary of California's Health and Human Services.
. Belshť said the Kaiser workers were still being investigated by the California Office of Health Information Integrity, which will decide whether individual penalties will be imposed.
"The fine issued today should be a reminder that there are consequences for violations of medical privacy," Gov. Arnold Schwarzenegger said in a written statement.
As many as 15 employees were either terminated or resigned under pressure following the Suleman episode and eight faced other disciplinary actions, the state said in a report. The doctors were among those disciplined, not fired.
As is common practice, the state did not identify Suleman by name, but the facts, dates and circumstances match those of her case, Charles Ornstein wrote in Los Angeles Times.
Kaiser spokesman Jim Anderson said the hospital took numerous steps to protect Suleman's privacy. It issued repeated warnings to staff members about privacy laws and added a prompt to her computerized records warning employees of the consequences for looking without permission.
Anderson said there was no proof that any of the employees leaked information to the media. "We share the department's concern for patient confidentiality, which is why we took all the strong action we took in this case," Anderson said. "Despite everything we did to try to prevent these kinds of things from happening, it is obvious that curiosity got the better of some people."
Jeffery Czech, Suleman's lawyer, said his client was not happy that unauthorized personnel looked at her records. But given the amount of gossip that has been printed about her private life, Czech said, "She's a little deadened to it."
"I think Kaiser handled it professionally. They found out, they terminated the employees, they brought it to our attention. They certainly didn't try to hide it," he said.
In their report, state officials said Kaiser's risk management office did not produce a list of all the employees who accessed Suleman's records until Feb. 5, more than a week after she gave birth.
"I believe that they should have anticipated it," Billingsley said. "If you know someone is coming in, a well-known individual or something that has the potential for other people to be curious . . . you should be able to come up with a solution."
Kaiser has 10 days to decide whether to appeal the fine. Anderson said officials were still evaluating the matter,
The breaches involving Fawcett's medical records, first reported by The Times in April 2008, enraged California lawmakers and prompted the new law. In Fawcett's case, a low-level UCLA employee accessed her records more often than her own doctors. The employee pleaded guilty last year to federal felony charges of selling the information to the National Enquirer. The woman died of cancer in March before she could be sentenced.
Although state inspectors last year found widespread privacy violations at UCLA, the hospital cannot be fined under the state law because the breaches took place before the law took effect.
Federal law prohibits the unauthorized accessing of a patient's medical records. Since 2003, the U.S. Department of Health and Human Services has received nearly 44,000 privacy complaints. The agency has said it favors helping facilities make needed changes voluntarily as opposed to imposing fines.
Dr. Deborah Peel, founder of Patient Privacy Rights Foundation in Austin, Texas, said new technologies should be used to prevent unauthorized workers from accessing data in the first place.