Privacy Violations Result in Fines for Hospitals Under Strict California Laws

November 23, 2010, Torrance, CA: The California Department of Public Health recently issued fines against hospitals in the state for Patient Privacy Violations, totaling more than $700,000. The physical and logical protection of patient data is a fundamental requirement in today’s hospital climate.  The fined entities included Kern Medical Center, Bakersfield ($250,000 for theft of 596 test documents), Pacific Hospital of Long Beach ($225,000 for an identity theft), Kawaeah Manor Convalescent Hospital, Visalia ($125,000 for an identity theft), Delano Regional Medical Center ($60,000 unauthorized access to records), Children’s Hospital of Orange ($25,000 unauthorized access to records), Oroville Hospital ($42,5000 employee discussed patient case), Biggs Gridley Memorial Hospital, Gridley ($5,000 unauthorized access to records).

As regulations increase, hospitals have to be more diligent in implementing and monitoring security controls. The Top 5 protections a healthcare organization needs in order to move towards a HIPAA Security Rule compliant environment include:

1. Conduct a Risk Assessment: Section 164.308(a)(1) of HIPAA requires an organization to conduct the risk analysis before any solution is implemented. It is important to know your network’s vulnerabilities. Officials must understand what type of information might get exposed, who might expose it, and how where it could be exposed. The result of this analysis will facilitate creation of security policies & procedures.

2. Take a Multi-Layer Approach: A single technology cannot provide complete protection. Implementing firewalls, anti-virus software, anti-spam, and intrusion prevention are just some of the things needed to keep patient data completely secure.

3. Don’t Forget About Email: More patient data is breached through email than any other source. It is crucial to have secure email and full content filtering. You need both inbound and outbound filters for personal health information protection and Encryption is key.

 4. Implement Policies: Employees must be educated on the security policies of an organization, why the policies are important and how to protect confidential information. eSecurity training is the first step in this important process. Implement a security awareness and training program for all members of its workforce including management.

 5. Backup Your Data Offsite (Securely) : Offsite data backup has become the easier and safer alternative to the out dated tape method. Offsite data backup offers multiple encryption methods, sophisticated file search availability, and complete automation. You can recover you data swiftly and test your backup information quickly for accuracy and completeness.

 KRAA Security ( is trusted name in the security industry. The firm conducts comprehensive Physical Security Assessments to identify potential physical security risks in Hospitals. KRAA Security also conducts data security assessments that meet HIPAA Security Rule requirements to determine if patient databases are at risk. An evaluation by KRAA Security will pinpoint where problem areas are located that affects the safety of customers and employees, and areas on the premises that would facilitate thefts, vandals and intrusions both logical and physical.

Contact: Jasmine Jones

KRAA Security, 888-KRAA-911

Risk Mitigation Solutions