California Patient Privacy Law Enforcement is Inconsistent
Last week, California’s enforcement of data privacy rules was criticized after the Department of Public Health was found to be inconsistently enforcing state laws. Numerous healthcare organizations have committed serious privacy violations, yet have escaped fines.
Two privacy bills were passed in California in 2008 in an effort to better protect the privacy of state residents. One of the aims was to make healthcare organizations more accountable when privacy violations occurred.
The laws were introduced following a number of high profile privacy breaches involving hospital employees snooping on the medical records of celebrities (Britney Spears, Farrah Fawcett and Maria Shriver). Since the bills were passed, healthcare organizations in the state can receive heavy fines for privacy violations, although relatively few fines are issued.
California Patient Privacy Laws Being Violated with Few Consequences
The state of California has some of the strictest laws on data privacy in the country. While action is taken against healthcare organizations by the Department of Public Health when patient health records are exposed, state laws are not being consistently enforced and few fines are being issued.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
Some healthcare providers have been written up on numerous occasions, yet no fines have been issued. Others have suffered relatively few privacy breaches but have been fined multiple times.
For instance, Eisenhower Medical Center had 278 privacy-deficiencies between 2012 and 2015, yet the medical center has never received a fine under state privacy breach laws. The hospital with the second most deficiencies over the same period, Riverside County Regional Medical Center, has similarly not been fined even though 120 privacy incidents have been reported.
Not all of those privacy violations were major. Many only required minor actions to be taken to address the issues that caused the breaches, yet a number of serious data breaches have occurred at both of the above healthcare facilities. Similar data breaches have been suffered by organizations in other locations in the state and have resulted in financial penalties being issued.
There have been over 3,700 privacy deficiencies discovered in the past four years, and healthcare organizations have had to take action to address those privacy issues, yet only around 100 fines have been issued.
The lack of fines is in part due to the time it takes for organizations to be investigated. We are now seeing fines issued for privacy breaches that occurred in 2012 and 2013, but even so, the number of fines issued is very low.
The Department of Public Health has explained the lack of fines as being in part due to the length of time it takes for a fine to be issued. It is necessary to have “multiple layers of review,” before a fine is issued. As with OCR, resources are stretched due to a heavy workload. There is also a lack of inspectors in some parts of the state, although that issue is now being tackled. New members of staff are now being taken on and more inspections of healthcare providers will now take place.
The problem with inconsistent enforcement is also being addressed. California Department of Public Health spokeswoman Anita Gore recently told ProPublica that further training will be provided to inspectors in district offices across the state in an effort to make the enforcement of California privacy laws more consistent.