An analysis of patient health records security breaches in California concluded that although the California Department of Health addresses internal security breaches of patient data, it does so inconsistently.
The report, conducted by the investigative journalism nonprofit ProPublica, found that hospitals in the Los Angeles area are not as stringently held accountable as hospitals in the rest of the state.
“I think this study is significant in that the industry is looking at the issue of patient privacy and talking about it,” Thomas Grove, a principal at Phoenix Health Systems told HCB News. “This is a completely correctable problem because most patient privacy violations are committed internally by a hospital’s own employees or associated physician offices.”
Grove said he has worked at hundreds of hospitals on health records security and privacy issues. He noted the report highlights the broad issue of patient medical record privacy.
“I’ve seen a couple of recent surveys which indicate that about half of all patients have considered withholding private information from doctors and hospitals for fear their privacy will be compromised. So we can still do a lot better,” Grove said.
The California HealthCare Foundation (CHF), in summarizing the report, noted, “the most-cited hospitals did not necessarily receive the most fines.” Grove credits this to self-reporting in which hospitals voluntarily identify and report violations to the state. In California, according to the CHF summary, the state standard for issuing fines hinges upon whether or not privacy violations are “intentional, malicious and widespread.”
Fines in California amounted to nearly $11 million from 2009-2015 according to cited state data. Grove cautioned, however, that the number of citations do not necessarily equate to severity.
“Some hospitals have more robust compliance programs and do a better job of self-reporting. So should they be penalized more than a hospital that does not do as good a job self-reporting?” said Grove.
The California law was adopted in 2008 after in-hospital high profile snooping of such celebrities as Maria Shriver, the wife of then Governor Schwarzenegger, Britney Spears and Farrah Fawcett, according to ProPublica. But Grove said that hospital staff snooping into celebrity medical records has a long history.
“In 1997 when fashion designer Versace was shot in Miami Beach, the hospital where he was taken fired 48 employees who were found to have inappropriately accessed his medical records,” said Grove.
CHF summarized several actions the state and hospitals plan to take to reduce the privacy breaches.These include: hiring compliance program leaders; increasing compliance budgets; providing more training to employees; and conducting third-party risk assessments. Grove noted that hospitals are often reluctant to pay for an outside risk assessment until there is a problem.
“Most hospitals are thinking about outside hackers getting access to patient records and not the problem of employees looking at records,” Grove said. “But this is a security problem that becomes a privacy problem.”
The full ProPublica report can be read here