The University of California at Los Angeles Health System (UCLAHS) is settling potential violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules for $865,500 said the U.S. Department of Health and Human Services' Office for Civil Rights.
HHS investigated two separate complaints filed by unnamed celebrity patients who received care at UCLAHS. The patients claimed that employees at UCLAHS had looked at, repeatedly and without permission, their protected electronic health information. Under HIPAA, only those employees who have a valid reason to view patient information may do so.
[See also: Healthcare patient data breaches cost U.S. $6B annually.]
The Office for Civil Rights’ investigation found that between 2005 and 2008, unauthorized employees did repeatedly look at the protected electronic health information of a number of patients at UCLAHS.
The Los Angeles Times reported that during the time period covered by the complaints, hospital employees were caught and fired for looking “at the medical records of dozens of celebrities, including Britney Spears, Farrah Fawcett and then-California First Lady Maria Shriver.”
The newspaper noted that one of the health system’s hospitals – Ronald Reagan UCLA Medical Center, was fined $95,000 by state regulators when the privacy of Michael Jackson’s medical records was violated after the former pop star was taken to the hospital after his death.
[See also: Security breaches prove costly for California hospitals.]
“Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections,” said OCR Director Georgina Verdugo in a statement about the settlement. “Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.”
As part of the settlement, UCLAHS has also agreed to a correction plan to fix the gaps in its compliance with HIPAA rules. The Los Angeles Times reported that the corrective plan includes retraining the staff on privacy protection and naming a person to monitor the health system’s agreed upon improvements and to report to regulators on the health system for three years.