UCLA Health System Fined $865,000HIPAA Violations Lead to Resolution Agreement
UCLAHS has agreed to pay a fine of $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules.
The investigation began in 2009 after complaints were filed on behalf of two celebrity patients, alleging that employees at UCLAHS repeatedly viewed their electronic protected health information, as well as other patients, without permission.
"From August 31, 2005 to November 16, 2005, workforce members repeatedly and without a permissible reason examined the electronic protected health information of the patients, and again did so between January 31, 2008 to February 2, 2008," according to a statement from HHS.
During the same period of time, UCLAHS failed to provide appropriate training for all members of the workforce, did not apply sanctions and document workers who examined the health records, and neglected to implement security measures "sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level," according to the statement.
UCLAHS, in its agreement, will:
- Pay HHS the amount of $865,500;
- Review, revise and maintain, as necessary, existing policies and procedures and develop written policies and procedures that comply with federal standards that govern the privacy of individually identifiable health information;
- Distribute updated policies and procedures (having been reviewed by HHS) to all current and new members of its workforce who have access to protected health information within 30 days of HHS approval; and
- Update policies and procedures at least annually and more frequently if appropriate.
"Our patients' health, privacy and well-being are of paramount importance to us," says Dr. David T. Feinberg, CEO of UCLAHS and associate vice chancellor for health sciences, in a prepared statement. "We appreciate the involvement and recommendations made by OCR in this matter and will fully comply with the plan of correction it has formulated."
Other resolution agreements include General Hospital Corp. & Massachusetts General Physicians Organization, Inc., Rite Aid Corporation and CVS Pharmacy, Inc.
In 2010, a former surgeon at UCLAHS, Huping Zhou, was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou became the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California. [See: HIPAA Violation Leads to Prison Term]
HHS enforces Federal standards that govern the privacy of identifiable health information under HIPAA and the Federal standards that govern the security of electronic health information. HHS has the authority to conduct the investigations of complaints alleging violations of HIPAA by covered entities. And those covered entities must cooperate with investigations conducted by HHS.