The Los Angeles Times reports that the nature of “repeated” and “extended” violations are giving lawmakers energy to introduce a new set of state laws:
In part because of the breaches, Gov. Arnold Schwarzenegger has endorsed legislation that would impose penalties on hospitals and healthcare workers for breaching patient privacy.
“Californians have every right to expect their medical records to be safeguarded and protected, and I am alarmed about repeated violations of patient confidentiality and the potential harm to the citizens of this state,” Schwarzenegger said in a statement. “By putting financial penalties in place for those employees and facilities that do not follow these laws, this legislation will lead to better care for all Californians.”
Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation. Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.
The legislation also would increase penalties for hospitals found to have put patients in jeopardy of harm or death, to $100,000 from $25,000.
Whether or not you agree with HIPAA, it is clear the CA state law that forced breach notification has been the most effective rule to date for information security practices and privacy. It will be interesting to see the effect of another CA privacy law dedicated to healthcare. Note, the governor recently struck-down a PCI-like bill in CA because he said the private sector was doing well enough regulating itself and did not need duplicate legislation or interference. So, for now, PCI might seem ugly to some but it is what an industry can do to keep ahead of hot-button topics for elected officials.