The California Department of Public Health has issued 42 administrative penalties and $2.26 million in fines for violations of patient privacy to 24 hospitals, two clinics and two palliative care providers.
The penalties were made public earlier this year but received little attention, though they were the first issued by the agency for privacy breaches since 2016.
The California Department of Public Health (CDPH) rarely publicizes patient privacy violations, even though they are often accompanied by fines that dwarf those for medical errors that endanger the lives of patients. Most of the incidents occurred four to five years ago. The individual fines against the hospitals and providers ranged from $2,550 to $250,000.
Many of the citations were for disclosures of protected health information that were inadvertent or involved a handful of patients. But some of the breaches involved significant amounts of patient information or were particularly disturbing.
Paul Hackman, an attorney and chief compliance and privacy officer for the University of Riverside School of Medicine, noted in an email “that the overwhelming majority of reportable privacy breaches are unintentional” and “hospital employees overwhelmingly understand that they hold a position of trust, and take active steps to protect confidential information.”
Nevertheless, many of the breaches involved deliberate acts by hospital employees.
Zuckerberg San Francisco General Hospital was cited for a breach involving a notorious 2013 case of an inpatient who went missing and was eventually found dead. Fifty-seven-year-old Lynne Spaulding had been admitted in September 2013 for a bladder infection and disorientation. She vanished two days after her admission. Her body was found on a little-used hospital stairwell 17 days later. The CDPH did not reveal Spaulding’s name, but the facts and dates in the agency’s incident report match her case specifically.
According to CDPH records, four hospital employees – two nurses and two clerical workers – accessed Spaulding’s medical records. Most said they did it out of curiosity. Three employees were fired; the fourth, a clerk who said she accessed Spaulding’s records at the behest of a supervisor, kept her job but was subject to retraining and closer scrutiny regarding how she used the hospital’s electronic medical records.
The hospital was fined $38,750 for that breach, according to the CDPH.
In a breach Hackman described as “egregious,” Community Regional Medical Center in Fresno was cited for a 2014 incident in which 17 employees viewed the medical records of a patient who had been admitted to the emergency room with a large flashlight lodged in their rectum. The employees even took photos of the patient’s x-rays and shared them with other workers, records show.
Community Regional Medical Center was fined $91,500 for the incident. The hospital fired six employees, and two others resigned in lieu of disciplinary action. Seven other employees were either counseled or received verbal or written warnings.
One of the largest fines, $250,000 against Tri-City Medical Center in Oceanside, involved the discipline of an employee for an unrelated matter. A cart he was given to clean out his personal belongings contained six folders containing patient transfer records from the emergency department. The folders were loaded into the patient’s car and he left the premises. Altogether, the books contained the personal health care information of more than 8,200 patients. Hospital officials admitted during an investigation that the process for tracking the logs was “flimsy.”
UC San Francisco Medical Center received four separate citations, including one for a 2014 incident in which a temporary employee accessed the records of 71 patients. One patient likely received harassing phone calls from the worker, with whom they had had a prior relationship. Another had had a credit card application made in their name. The worker was reported to the police and district attorney’s office while the temp agency that referred the employee was required to retrain their staff on patient privacy laws. The hospital was fined $250,000 for that incident.