January 2009 Volume 33 No. 1
Patient privacy laws hold violators accountable

Two new privacy laws intended to protect patients took effect Jan. 1 and impact physicians and other caregivers directly in California.

Together Senate Bill 541 and Assembly Bill 211 impose fines for unauthorized access to patient information on individual practitioners, as well as health care institutions, and create an obligation for caregivers and hospital employees to report suspected violations to their hospital’s compliance office.

Diane Meyer, SHC/LPCH chief compliance and privacy officer, said regulations to implement the law are pending but that lawful access to records, such as patient care, billing and authorized hospital operations, should remain the same.

“If it was legal in 2008, we expect that it is legal now,” said Meyer. “This law doesn’t change existing, legitimate purposes for accessing patient information, but the law adds new state enforcement authority of longstanding state and federal privacy standards and creates personal liability for those who access patient information that they do not need to perform their job functions for the hospital,” she said.

“These new laws increase patient privacy protections but also add new requirements, fines and penalties — which can affect you directly and individually,” Dean Philip A. Pizzo wrote in his Dec. 15 e-newsletter.

“Individual penalty is a new twist on the responsibility for privacy that we have had all along,” said Meyer.

Specifically, California Senate Bill 541 authorizes the California Department of Public Health (CDPH) to investigate unlawful or unauthorized access to, or viewing, use or disclosure of, patient information. This bill requires the hospital to report to CDPH and to the patient any such unauthorized access, viewing, use or disclosure of patient information within five days of its detection. Hospital fines range from $25,000 to $250,000 per patient whose medical information was breached, Meyer explained.

Companion legislation, Assembly Bill 211, authorizes a new state Office of Health Information Integrity (OHII) to investigate and enforce existing medical privacy laws and to investigate individuals and assess penalties against individuals for unauthorized access to or viewing, use or disclosure of patient information. The fines to individuals range from $2,500 to $250,000 for violations.

The fines are the personal responsibility of the individual, said Jeff Driver, director of risk management. No defense or indemnity coverage is provided by the hospital’s insurance policies for fines that are incurred by individuals due to violations, he said.

“Californians seeking care at a hospital or health facility should never have to worry that their private medical information will be shared,” said Gov. Arnold Schwarzenegger, when he signed AB 211 into law last Oct. 1. The Los Angeles Times and other news sources reported the governor had sought the legislative package after the newspaper earlier reported that numerous employees at UCLA Medical Center had peeked at medical records of celebrities, including his wife.

Meyer noted that physicians and other caregivers are obligated to report any suspected inappropriate or unauthorized access by any individual to SHC/LPCH patient systems to the Compliance and Privacy Department by emailing to PrivacyOfficer@stanfordmed.org, calling the department at (650) 724-2572, or by making an anonymous call to the compliance and privacy hotline at (800) 216-1784.

“SHC/LPCH will not retaliate against any individual who reports in good faith potential violations of laws or hospital policy,” Meyer added.

Meyer noted that accessing and monitoring medical records is easier and more efficient with the advent of electronic health records and that the hospital has increased activities related to monitoring records as part of its privacy assurance program. Monitoring, she said, includes evaluation, investigation and interviewing.

“We will have a thorough and timely investigative process, a detailed analysis of each case before any reporting to the state,” said Meyer. “Part of the monitoring program is that we be diligent about our evaluation of whether the access was appropriate or not, whether it was lawful and authorized.”

Meyer encouraged physicians to make sure that they understand the rules affecting their individual practices or projects. “We are mandated to provide additional scrutiny of records,” Meyer noted in late December, “and we’re asking physicians to ensure that their practices are in compliance.”

A joint LPCH/SHC/University/School of Medicine steering committee is currently working on implementation of the new requirements under these two new laws and will continue to provide information as regulations are promulgated and further information becomes clarified and available.

For more information or clarification, the SHC/ LPCH Chief Compliance and Privacy Officer, Diane Meyer, at (650) 724-2572 or PrivacyOfficer@stanfordmed.org.