ENloe Medical Center
530.332.5589 - office
Enloe protests health-privacy citation
CHICO, Calif., Thursday, June 10, 2010 – Enloe Medical Center will challenge a fine that will be levied by the California Department of Public Health. The administrative penalty is for a breach of protected health information that Enloe discovered, investigated and self-reported in July 2009. The California Department of Public Health (CDPH) gave Enloe its first notification on the findings and related administrative penalty nearly a year later, on June 7, 2010.
In seven separate instances, the medical records of one patient were inappropriately accessed. The violations involved staff from five physician offices, a credit bureau and one Enloe employee. Enloe immediately began to mitigate the breach upon discovery, and continues to monitor and safeguard patient privacy. The breach was not identified by the CDPH; rather it came as a result of Enloe’s close monitoring of medical record activity for high-profile cases, investigation of inappropriate access to one patient’s medical record, and the timely self-reporting of the discovery.
For many years, Enloe has had a number of safeguards in place to ensure the confidentiality of protected health information. These safeguards include monitoring of medical record activity, which enabled the medical center self-report the July 2009 breach, which the CDPH investigated in August and September 2009. Enloe also provides code of conduct training during new employee orientation and as part of annual competency modules. These safeguards were taken at each location of the breach, however access was misused.
“Enloe Medical Center goes above and beyond the requirements of the law to protect patient privacy, which is the reason we were able to detect the breach,” said Mike Wiltermood, Enloe’s Chief Executive Officer. From our perspective, Enloe Medical Center’s early detection of the patient information breach, along with our long-standing safeguards and privacy processes, were not taken into consideration as the law clearly allows when CDPH chose to apply the $130,000 administrative penalty, Wiltermood said.
“The law itself is fair, but it becomes unfair in the manner that the CDPH enforces it,” Specifically, the law, which is a section of the California Health and Safety Code, states that the CDPH has discretion to consider several factors when determining the amount of a penalty. “We are concerned that the manner in which CDPH is levying the fines could do more to discourage reporting of breaches rather than to truly strengthen patient privacy,” Wiltermood said. “We believe that CDPH is penalizing hospitals that self-report violations in good faith. This misapplication of the law punishes hospitals like ours that consistently exceed the legal requirements for maintaining and monitoring patient privacy measures.
“The actions taken by six non-Enloe employees to breach patient privacy should be considered unlawful acts, not an accurate reflection of our processes ensuring the confidentiality of patient information. Enloe prides itself on a collaborative and transparent relationship with the state,” Wiltermood said. “Our hope is that the state will consider such collaboration and transparency when administering fines that could undermine the credibility of an organization within the community it is committed to serving.”
Enloe Medical Center is a local, nonprofit health care organization. For more information, please call 530/332-7300 or visit us online at http://www.enloe.org. Enloe Medical Center is located at 1531 Esplanade Chico, Calif. 95926.