Governor Signs Bills to Protect Patient Privacy, Increase Enforcement Actions for Medical Errors

Governor Arnold Schwarzenegger announced today that he has signed a package of bills to improve patient privacy laws and to address repeated breaches of confidential information that have occurred at health facilities in recent months.

"Medical privacy is a fundamental right and a critical component of quality medical care," Governor Schwarzenegger said. "Repeated violations of patient confidentiality are potentially harmful to Californians, which is why financial penalties are needed to ensure employees and facilities do not breach confidential medical information. Californians seeking care at a hospital or health facility should never have to worry that their private medical information will be shared."

Patients' legal right to confidential medical services in health facilities is strongly recognized and clearly defined in both state and federal law. However, under current law it is difficult to impose and enforce penalties when breaches occur unless a district attorney or the state Attorney General takes action.

The bills signed by Governor Schwarzenegger give the state tools to assess and enforce fines against health facilities and individuals who inappropriately obtain, use or disclose medical information.

SB 541 by Senator Elaine Alquist (D-Santa Clara) sets health facility fines for privacy breaches and increases the fines for serious medical errors in hospitals. The new law ensures that health care providers face real consequences when they fail to protect patients. For facilities, fines for disclosing private medical information would range from $25,000 to $250,000 per reported event. The California Department of Public Health (CDPH) would assess an administrative penalty of $25,000 per patient whose medical information was breached and a penalty of $17,500 per subsequent breach. If several individuals access the same patient's file, for example, the penalty would be $25,000 plus $17,500 for each additional person who violated the same file, up to a maximum of $250,000.

AB 211 by Assemblymember Dave Jones (D-Sacramento) requires health providers to prevent unlawful access, use or disclosure of patients' medical information and hold health care providers and other individuals accountable for ensuring the privacy of patients. The legislation creates the Office of Health Information Integrity within the California Health and Human Services Agency to assess administrative penalties against individuals up to $250,000. The legislation will also refer individuals, if licensed, to appropriate licensing boards.

In 2006, Governor Schwarzenegger signed Executive Order S-12-06 which convened a California eHealth Action Forum. Among its stated duties, the Forum is identifying and developing strategies for the continued protection of confidentiality and privacy of health information in an electronic environment.

In 2004, Governor Schwarzenegger signed SB 1633 which prohibits businesses from seeking to obtain medical information for marketing purposes without the express consent of the consumer.

CHART 1

Hypothetical Examples of How the Proposed Legislation Will Affect Health Facilities and Individuals When Private Medical Records are Breached

Example	Penalties/Enforcement Under Current Law			Under Proposed Law
1. SELLING INFORMATION: Hospital employee knowingly and willfully accesses medical information without authorization and sells the information to a third party (such as a tabloid news outlet, private investigator, etc.)	No specific requirement to report the violation to the patient or the state and no fine for late reporting. Employer may or may not take disciplinary action. Attorney General or district attorneys who could enforce monetary penalties in current law may or may not learn of incident; action is rare. Licensing board may or may not learn about incident; action is rare.			Employing health facility must report all incidents to the patient and the California Department of Public Health or face fines for non-reporting ($100/day beginning 5 days after detection). Hospital may be fined $25,000 for initial breach and $17,500 for subsequent breaches up to $250,000. CDPH would refer the individual to the Office of Health Information Integrity, which would: 1) assess an administrative penalty on the employee of up to $250,000; 2) report the individual (if licensed) to the proper licensing board; and/or, 3) refer the individual to local district attorney and the state Attorney General for action.
2. SHARING: Physician, nurse or other health facility employee inappropriately accesses confidential medical information about a friend's fiancée and relays the information at a social event.		No specific requirement to report violation to patient or to state and no fine for late reporting. Employer may or may not take disciplinary action. Attorney General or district attorneys could take action in current law; may or may not learn of incident; action is rare. Licensing board may or may not learn about incident; action is rare.	Employing health facility must report all incidents to the patient and the Department of Public Health or face fines for non-reporting ($100/day beginning 5 days after detection). Facility may be fined $25,000 for initial breach and $17,500 for subsequent breaches up to $250,000. DPH would refer the individual to the Office of Health Information Integrity which would: 1) assess an administrative penalty of $2,500 to $25,000; 2) report the individual (if licensed) to the proper licensing board; and/or; 3) refer the individual to local district attorney and the state Attorney General for action.
3. FUNDRAISING: A licensed medical facility provides patient information to a private contractor for fundraising purposes. No specific medical information is provided except the patient name and treatment facility.		Limited enforcement of existing state and federal laws to protect this private medical information.	Employing health facility must report all incidents to the patient and the California Department of Public Health or face fines for non-reporting ($100/day beginning 5 days after detection). The Department would investigate and may assess a penalty against the facility of up to $250,000 for the release of this private medical information. The Office of Health Information Integrity would investigate and could assess penalty against the individual who gave the information as well as a penalty of $250,000 against the entity/individual who received the information.
4. NEGLIGENCE: A hospital administrative clerk discards hundreds of paper medical records into a dumpster without shredding the documents.		No specific requirement to report violation to patient or to state and no fine for late reporting. Employer may or may not take disciplinary action. Attorney General or district attorneys could take action in current law; may or may not learn of incident; action is rare. Fines available under current state and federal law are rarely enforced.	Employing health facility must report all incidents to the patient and the California Department of Public Health or face fines for non-reporting ($100/day beginning 5 days after detection). Facility may be fined $25,000 for initial breach and $17,500 for subsequent breaches up to $250,000. DPH would refer the individual to the Office of Health Information Integrity which would: 1) assess an administrative penalty of $2,500 to $25,000; 2) report the individual (if licensed) to the proper licensing board; and/or; 3) refer the individual to local district attorney and the state Attorney General for action.

CHART 2

Real Examples of Administrative Penalties Issued in 2007 & 2008 and How the Administrative Penalties Would Change Under Proposed Legislation
(For a complete list of 39 penalties issued by facility, visit www.cdph.ca.gov)

An administrative penalty is a civil monetary penalty for a violation or deficiency constituting an immediate jeopardy to the health and safety of a patient. These penalties are assessed against general acute care hospitals, acute psychiatric hospitals and special hospitals after an investigation of a facilities' non-compliance of licensure. These penalties are assessed and investigations are conducted by the California Department of Public Health, Licensing and Certification Program.
"Immediate jeopardy" isa situation in which the hospital's noncompliance with one or more requirements of licensure has caused, or is likely to cause, serious injury or death to the patient.

Example	Penalty Assessed Under Current Law	Proposed Law Would Allow
Medication Error: Three pediatric patients were given a thousand times the intended dosage of heparin, a blood thinner. The babies required emergency drug reversal agents in order to prevent serious injury or death from uncontrolled bleeding.	$25,000 (Fines would rise to $50,000 after regulations are written)	$50,000 - 1^st violation $75,000 - 2^ndviolation $100,000 - 3^rd violation Fines will rise by $25,000 (to $75,000, $100,000, and $125,000) when regulations are written
Wrong Surgical Procedure: A hospital fails to implement patient safety in the course of providing surgical services. The surgical staff does not verify the surgery site of a patient and does not review the patient's history and physical. As a result, surgery is performed on the wrong knee.
Medication Error: A hospital mixes up two patient records. This results in the death of one patient who mistakenly receives a potent narcotic.
Medication Error: A patient is mistakenly given a medication mix that increases the potential for excessive bleeding and/or hemorrhaging. The patient falls, sustains an injury to the head. A delayed CAT scan reveals a large subdural hemorrhage. The patient dies.
Inadequate Supply of Medication: A hospital fails to ensure the availability of required medications 24 hours a day. A delay in treatment results in a patient's death.
Use of unsterilized surgical instruments: A hospital fails to ensure that surgical instruments are sterilized and cleaned before surgery. A patient undergoes surgery with instruments that are not sterile.