What HHS may not do, a state might

Back in June, 2014, this site noted two breaches disclosed by Rady Children’s Hospital in San Diego that involved patient data being disclosed to job applicants. Later that month, we learned that in the process of investigating the two known breaches, Rady uncovered two more such breachesRady duly notified HHS in June, 2014.

More than two years later, there is still no closing notation on the incidents on HHS’s public breach tool, which may mean that HHS’s investigation is still ongoing.

But while HHS may not have concluded their investigation nor taken any action (yet?), California has. In November, 2015, the California Department of Public Health issued a penalty notice to Rady over the breaches.

The amount was $250,000.00.

Rady did not appeal the penalty, and the case was closed in July.

If you’ve never spent any time on CDPH’s web site to look at their enforcement actions, you might find it a bit enlightening, as even single-patient breaches of information may lead to monetary penalties for entities regulated by the state.  Some of the penalties may be on the order of $1500.00 – $2500.00, but I am no longer surprised to see penalties of $50,000 and up.

It’s a shame that more states don’t make such information publicly available so that members of the public can see how their state responds to confidentiality or medical privacy breaches by regulated facilities.

Has anyone actually done a study of state enforcement actions for medical confidentiality/privacy breaches that compares monetary penalties and the frequency of enforcement actions across states? If you know of one, please let me know.

About the author: Dissent

Has one comment to “What HHS may not do, a state might”

You can leave a reply or Trackback this post.
  1. Justin Shafer - August 11, 2016

    Figuring out OCR is like trying to figure out my wife… In fact, I am willing to wager that somehow the majority of federal employees at OCR…….


Comments are closed.