UCLA Health System Agrees To Pay $865K Over Privacy Breaches

UCLA Health System has agreed to pay $865,500 as part of a settlement with federal regulators over allegations that UCLA hospital employees violated the Health Insurance Portability and Accountability Act by viewing celebrities' electronic health records without authorization, the Los Angeles Times reports (Hennessy-Fiske, Los Angeles Times, 7/8).

The agreement marks HHS' third largest settlement for HIPAA violations (Nicastro, HealthLeaders Media, 7/7).

Background

HHS' Office for Civil Rights began investigating the claims after two celebrities lodged separate complaints in 2009 about hospital workers improperly accessing their medical records (Goedert, Health Data Management, 7/7). OCR did not identify the celebrities involved (Conn, Modern Healthcare, 7/7).

According to an OCR statement, the investigation found that "unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients" between 2005 and 2008.

OCR also found that the UCLA Health System failed to use adequate security measures or properly document certain trainings or sanctions (Health Data Management, 7/7).

The federal enforcement action comes after California has taken steps to bolster its patient privacy protections. In 2008, the state Legislature passed strict privacy laws (SB 541 and AB 211) after discovering that health workers had improperly accessed the medical records of California's former first lady Maria Shriver, singer Britney Spears and actress Farrah Fawcett (Modern Healthcare, 7/7).

Details of the Settlement

As part of the settlement agreement, UCLA Health System was required to submit a corrective plan to federal regulators outlining how the organization would prevent future privacy breaches (Los Angeles Times, 7/8).

In its corrective plan, the health system agreed to:

• Establish HHS-approved privacy and security policies;
• Conduct regular, comprehensive trainings for all staff members who work with protected health data;
• Take action against employees who violate privacy rules; and
• Designate an independent monitor to evaluate the health system's compliance with the corrective plan over the next three years (Vijayan, Computerworld, 7/7).

UCLA Health System Response

Responding to the settlement, UCLA Health System issued a statement saying that it has worked "diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities."

David Feinberg -- CEO and associate vice chancellor for health sciences at the UCLA Hospital System -- said "Our patients' health, privacy and well-being are of paramount importance to us." He added, "We remain vigilant and proactive to ensure that our patients' rights continue to be protected at all times" (Ornstein, ProPublica, 7/7).