California has its own medical privacy law. Under the 1981 Confidentiality of Medical Information Act, any "person or entity" that "obtains, discloses or uses" patient information without authorization faces civil fines of $2,500 to $250,000.
But no one seems to know how often or even whether such fines have been levied.
The law leaves jurisdiction to the courts, not to state health officials. City attorneys, county district attorneys and the state attorney general can bring lawsuits on behalf of patients -- if they or the patients know about the breach.
The state Department of Public Health said last week that it had opened an investigation of UCLA Medical Center under a separate state law governing the licensing and certification of hospitals and other healthcare facilities.
The steps it can take under this law are limited. If state investigators find deficiencies, the institution under investigation must create a plan of correction. The state reviews the plan, then revisits the hospital to make sure the problems have been fixed.
"This doesn't mean that the state doesn't have some tools beyond the Department of Public Health," said Kim Belshe, secretary of the state's Health and Human Services Agency, on Tuesday. "My understanding is that we could refer the case to the attorney general to enforce the [Confidentiality of Medical Information Act], or to the local district attorney or the city attorney. We're looking at all three."
--
ricardo.alonso-zaldivar @latimes.com
Times staff writer Mary Engel contributed to this report.
