Charles Ornstein is a senior reporter for ProPublica and a past president of the Association of Health Care Journalists. This story originally appeared on ProPublica. It was co-published with The Sacramento Bee and KPCC.
In 2008, outraged by a string of snooping incidents involving celebrities’ medical records, California legislators passed a groundbreaking law that compelled hospitals to quickly report patient privacy breaches and gave the state power to levy fines for such violations.
Since then, the state Department of Public Health has imposed more than 100 fines on hospitals and clinics, totaling more than $10.7 million. In just the past four years, state inspectors have written up hospitals more than 3,700 times.
But a ProPublica analysis of state data shows enforcement has been inconsistent.
Health inspectors in Los Angeles County — home to more than 100 hospitals — have issued only a handful of violation reports since 2012. Several of the biggest and best-known hospitals in Los Angeles have publicly acknowledged significant breaches during that time, but have clean records.
Meanwhile, inspectors in the neighboring region that encompasses the Inland Empire have cited hospitals repeatedly, some dozens of times, even for inadvertent errors. Eisenhower Medical Center in Rancho Mirage has been hit with the most privacy-related deficiencies in the state, 278. The facilities with the second-most and seventh-most citations are also in Riverside County.
Most of Eisenhower’s deficiencies were minor and quickly corrected, records show, but some were not. In 2013, a hospital employee admitted she accessed the records of patients (who were also Eisenhower employees) to get their ages and marital status to find dates for a friend.
The state’s hit-and-miss enforcement isn’t confined to issuing deficiencies, a non-punitive report that requires hospitals to fix any problems identified. It also extends to the fines issued under the law, which often take years, if they come at all. Most of the fines meted out in 2015, for example, involved breaches that took place in 2012 and 2013. One went back to 2009.
ProPublica analyzed deficiencies cited against California hospitals since Jan. 1, 2012, excluding those for breaches before 2011, as well as all fines imposed since the law went into effect. (You can view them using our HIPAA Helper tool.)
Brenda Klutz, a Sacramento health care consultant and former state health department official, called ProPublica’s findings significant and important.
“I think it’s something the department would certainly want to drill down on and get to the bottom of,” she said.
The California Department of Public Health declined interview requests but, in written responses, acknowledged the inconsistencies ProPublica found. Spokeswoman Anita Gore stated the department plans to address the discrepancies by providing more training to inspectors in district offices across the state and is in the process of hiring more inspectors.
“Medical and personal information breaches are a serious issue and are treated as such,” Gore wrote. She added that not all breaches are the same — some are accidental and others are malicious — and the state’s response will be different based on the facts.
Nowhere are the discrepancies starker than in Los Angeles County, where the county’s Department of Public Health is paid to inspect health facilities on the state’s behalf.
In part because of problems with the quality of Los Angeles County’s nursing home inspections, the state health department said it has provided extra training to the county’s inspectors and has added staff to increase monitoring of those county inspectors.
Los Angeles County’s public health department said in a statement that it follows the state’s policy for how to handle privacy incidents at hospitals. Under the policy — at least as Los Angeles County views it — citations are only issued if inspectors decide hospitals had a breach that’s “intentional, malicious or widespread” or if they don’t have adequate processes in place to prevent repeat breaches.
The county said it was not aware that its handling of privacy breaches varied from the state health department’s other offices, or that the state was concerned by this.
Kaiser Permanente operates multiple hospitals throughout California and has experienced firsthand the different approaches taken by the Department of Public Health’s various offices. Two Kaiser facilities — the South Sacramento hospital on Bruceville Road and the Sacramento hospital on Morse Avenue — ranked first and second for citations in Sacramento County, with 17 and 13. Meanwhile, Kaiser’s flagship in Los Angeles has had none, although it has reported privacy breaches to the state, a spokeswoman confirmed.
“We can’t speculate how this information is recorded or reported by the state, but we can tell you that we comply with all federal and state reporting requirements,” Vanessa Benavides, Kaiser Permanente’s chief compliance and privacy officer, said in a statement.
Citation numbers alone do not reflect whether hospitals are systematically violating patient privacy.
A spokesman at Ronald Reagan UCLA Medical Center in Los Angeles said the hospital has reported 164 privacy breaches to the state health department since July 2013. It hasn’t received a single citation since 2012. (It was fined in 2009 and 2010.)
The most-cited hospitals are not those with the most fines. Eisenhower, which has the most deficiencies in the state, has never been fined under California’s privacy statute. By contrast, San Francisco General Hospital had the most fines — seven — but ranked only 37th in total violations since 2012.
Troy Williams, San Francisco General’s chief quality officer, said he couldn’t say why the hospital ranked so high in fines when it hadn’t been cited all that often. Fines for other hospitals may be waiting in a queue, he said, or that the regulators that oversee San Francisco just recommend more fines.
“We had a privacy breach back in 2009 and we didn’t get penalized til 2012, and that’s about what we’ve been seeing, anywhere from two to three years,” he said. “It’s a pretty long time.”
Fines are recommended by district offices, but must be approved by health department officials in Sacramento. In a written statement, the department acknowledged that it takes a long time to assess fines, attributing the delays both to the agency’s workload and its “multiple layers of review.”
Klutz, the former state health official, said lengthy delays between violations and the resulting fines are problematic when the state’s goal is to prompt hospitals to change their behavior. “You want the consequence of a violation to closely follow the violation,” she said.
Recent audits of the state Department of Public Health have found inconsistencies in its licensing and certification arm, particularly oversight of nursing homes. A 2014 report commissioned by the department repeatedly cited inconsistencies and variability among its different regional offices. Another report from the California State Auditor in October 2014 found similar problems.
The California Legislature in 2008 passed two bills to safeguard privacy after hospital employees snooped in the records of celebrity patients including then-California first lady Maria Shriver, singer Britney Spears and actress Farrah Fawcett.
“Your private medical information shouldn’t be flapping in the breeze like an open hospital gown,” then-Assembly member Dave Jones, the author of one bill, told the Los Angeles Times. Jones, now the state’s insurance commissioner, declined a request for comment through a spokeswoman because he does not monitor the law’s implementation in his current job.
California’s law is distinct from the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA. Indeed, the state health department said it does not coordinate or consult with the federal agency that enforces HIPAA, even if the two agencies are investigating the same breach.
Officials at Eisenhower Medical Center said they weren’t aware the hospital had the most privacy deficiencies in the state until they were informed by ProPublica. “I don’t know why we would be number one except we do have a very strong program” to identify and report privacy violations, general counsel Michael Appelhans said. “We do a lot of training for employees” and do not discipline employees when they disclose unintentional violations.
Riverside County Regional Medical Center had the second-highest number of privacy deficiencies, 120. A number were quite serious: A patient’s HIV test results were released in response to an attorney’s subpoena, even though they should not have been; a staff member took a photo of a trauma patient with a knife stuck in his head and posted it on a social media site; an admissions clerk used a patient’s information to call and ask if she had a boyfriend; and the hospital sent the wrong patient’s information to the Department of Justice as part of a “Firearms Prohibition” reporting system.
Yet the hospital has never been fined by the state.
Riverside University Health System said in a statement that it has implemented “a series of corrective actions aimed at ensuring compliance” with the law. It hired new leaders to implement a “robust compliance” program, allocated more money to the effort, purchased new training software for staff, and hired a contractor to conduct a HIPAA security risk assessment.
Photo by theilr via Flickr CC License
