Featured Health Business Daily Story, July 19, 2011

UCLA Health System Settles HIPAA Case Over Celebrity Snooping

Reprinted from REPORT ON MEDICARE COMPLIANCE, the nation's leading source of news and strategic information on Medicare compliance, Stark and other big-dollar issues of concern to health care compliance officers.

By Nina Youngstrom, Managing Editor
July 11, 2011Volume 20Issue 25

The University of California at Los Angeles Health System (UCLAHS) has agreed to pay $865,500 to settle alleged HIPAA violations over employees who peeked at two celebrities’ electronic medical records. UCLA Health System also will implement corrective actions to fix gaps in its HIPAA compliance, the HHS Office for Civil Rights announced July 7.

Two separate complaints were filed against UCLAHS on behalf of two celebrity patients who were treated there, according to its “resolution agreement” with OCR, which describes the following conduct:

(1) Between Aug. 31 and Nov. 16, 2005, a number of workforce members “repeatedly and without a permissible reason” examined patients’ ePHI, and the same thing happened between Jan. 31 and Feb. 2, 2008.

(2) Between 2005 and 2008, an employee from the director of nursing’s office “repeatedly and without a permissible reason examined the electronic protected health information of many patients.”

Settlement Is OCR’s Third This Year

UCLAHS does not admit liability in the resolution agreement, which also alleges UCLAHS failed to discipline workforce members who looked at patient records inappropriately or train employees generally.

This is OCR’s third privacy settlement with a provider this year. Another prestigious organization — Massachusetts General Hospital — paid $1 million to settle alleged HIPAA privacy violations over confidential paperwork that an employee accidentally left on the Boston subway in March 2009 (RMC 3/14/11, p. 1). And Cignet Health Center, a Temple Hills, Md., medical group, paid $4.3 million to settle allegations that it refused to give some patients copies of their medical records and then failed to cooperate with OCR’s investigation (RMC 2/28/11, p. 4). Like Massachusetts General, UCLAHS had to agree to a corrective action plan as part of its settlement. It requires UCLAHS to implement OCR-approved privacy and security policies and procedures, train all employees who use PHI and discipline employees who break privacy and security rules. UCLAHS also must hire an independent monitor to evaluate its compliance during a three-year period.

UCLAHS includes the UCLA Ronald Reagan Medical Center, the UCLA Santa Monica Medical Center and Orthopedic Hospital, the Resnick Neuropsychiatric Hospital and the Faculty Practice Group of UCLA.

In a statement, UCLAHS says it has been working for the past three years to improve its auditing, data security and staff training. In collaboration with OCR, UCLAHS “continues to take measures to demonstrate our ongoing commitment to protecting our patients’ privacy. Everyone, from nurses and doctors to staff and students, views patient confidentiality as a constant, high priority and an essential component of patient care.”

View the settlement and corrective action plan at www.hhs.gov/ocr.

It's quick and easy to sign up for FREE access to AISHealth.com!

Why do I need to register?