California health regulators fined Kaiser Permanente's Bellflower hospital $250,000 Thursday for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who set off a media frenzy after giving birth to octuplets in January.
The fine is the first monetary penalty imposed and largest allowed under a new state law enacted last year after widely publicized violations of privacy at UCLA Medical Center involving Farrah Fawcett, Britney Spears, California First Lady Maria Shriver and other celebrities.
Since the law took effect Jan. 1, hospitals have reported about 300 incidents in which patient records were inappropriately accessed or disclosed. Most of those were inadvertent, such as giving discharge instructions or medication orders to the wrong patients, but some involved prying into patients' records without permission.
The state Department of Public Health found that breaches of Suleman's records extended beyond the Bellflower hospital and continued even after Kaiser first informed regulators it had a breach. Eight workers at other Kaiser hospitals and the chain's regional office were among those implicated, said Kathleen Billingsley, deputy director of the Public Health Department's Center for Health Care Quality.
The steps Kaiser took to protect Suleman's privacy were not aggressive enough, Billingsley and other state health officials said.
"It's the hospital's job to prevent these breaches from occurring, not just crack down after the fact," said Kim Belshe, secretary of California's Health and Human Services.
The law allows the Department of Public Health to impose fines against healthcare facilities of up to $25,000 per patient for the first violation and $17,500 for each additional violation, up to $250,000. A separate law allows fines to be imposed against individual healthcare workers. Belshe said the Kaiser workers were still being investigated by the California Office of Health Information Integrity, which will decide whether individual penalties will be imposed.
"The fine issued today should be a reminder that there are consequences for violations of medical privacy," Gov. Arnold Schwarzenegger said in a written statement.
Kaiser told the public health agency on Feb. 5 that two employees inappropriately accessed the records of Suleman, who gave birth on Jan. 26 to the world's only surviving octuplets, according to a Public Health Department report issued Thursday. By Feb. 20, six employees had been identified as having accessed records without authorization. On March 20, 17 more employees were added to the list, including two doctors, for a total of 23.
Of those, 15 were either terminated or resigned under pressure and eight faced other disciplinary actions, the state said in a report. The doctors were among those disciplined, not fired.
As is common practice, the state did not identify Suleman by name, but the facts, dates and circumstances match those of her case.
Kaiser spokesman Jim Anderson said the hospital took numerous steps to protect Suleman's privacy. It issued repeated warnings to staff members about privacy laws and added a prompt to her computerized records warning employees of the consequences for looking without permission.
Anderson said there was no proof that any of the employees leaked information to the media. "We share the department's concern for patient confidentiality, which is why we took all the strong action we took in this case," Anderson said. "Despite everything we did to try to prevent these kinds of things from happening, it is obvious that curiosity got the better of some people."
Jeffery Czech, Suleman's lawyer, said his client was not happy that unauthorized personnel looked at her records. But given the amount of gossip that has been printed about her private life, Czech said, "she's a little deadened to it."
"I think Kaiser handled it professionally. They found out, they terminated the employees, they brought it to our attention. They certainly didn't try to hide it," he said.
In their report, state officials said Kaiser's risk management office did not produce a list of all the employees who accessed Suleman's records until Feb. 5, more than a week after she gave birth.
"I believe that they should have anticipated it," Billingsley said. "If you know someone is coming in, a well-known individual or something that has the potential for other people to be curious . . . you should be able to come up with a solution."
Kaiser has 10 days to decide whether to appeal the fine. Anderson said officials were still evaluating the matter.
The breaches involving Fawcett's medical records -- first reported by The Times in April 2008 -- enraged California lawmakers and prompted the new law. In Fawcett's case, a low-level UCLA employee accessed her records more often than her own doctors. The employee pleaded guilty last year to federal felony charges of selling the information to the National Enquirer. The woman died of cancer in March before she could be sentenced.
Although state inspectors last year found widespread privacy violations at UCLA, the hospital cannot be fined under the state law because the breaches took place before the law took effect.
Federal law prohibits the unauthorized accessing of a patient's medical records. Since 2003, the U.S. Department of Health and Human Services has received nearly 44,000 privacy complaints. The agency has said it favors helping facilities make needed changes voluntarily as opposed to imposing fines.
Dr. Deborah Peel, founder of Patient Privacy Rights Foundation in Austin, Texas, said new technologies should be used to prevent unauthorized workers from accessing data in the first place.
"Fines are a last resort and I'm sure they will help," Peel said, but unprotected patient information is "like leaving money in an unlocked room."
Ornstein is a senior reporter at ProPublica, a nonprofit investigative reporting newsroom in New York.