What HHS may not do, a state might
Back in June, 2014, this site noted two breaches disclosed by Rady Children’s Hospital in San Diego that involved patient data being disclosed to job applicants. Later that month, we learned that in the process of investigating the two known breaches, Rady uncovered two more such breaches. Rady duly notified HHS in June, 2014.
More than two years later, there is still no closing notation on the incidents on HHS’s public breach tool, which may mean that HHS’s investigation is still ongoing.
But while HHS may not have concluded their investigation nor taken any action (yet?), California has. In November, 2015, the California Department of Public Health issued a penalty notice to Rady over the breaches.
The amount was $250,000.00.
Rady did not appeal the penalty, and the case was closed in July.
If you’ve never spent any time on CDPH’s web site to look at their enforcement actions, you might find it a bit enlightening, as even single-patient breaches of information may lead to monetary penalties for entities regulated by the state. Some of the penalties may be on the order of $1500.00 – $2500.00, but I am no longer surprised to see penalties of $50,000 and up.
It’s a shame that more states don’t make such information publicly available so that members of the public can see how their state responds to confidentiality or medical privacy breaches by regulated facilities.
Has anyone actually done a study of state enforcement actions for medical confidentiality/privacy breaches that compares monetary penalties and the frequency of enforcement actions across states? If you know of one, please let me know.