UCLA Health System pays $865G to settle HIPAA violation charges

UCLA Health System has agreed to pay a fine of $865,000 and to develop a correction action plan to settle potential HIPAA privacy violations involving improper disclosures of medical records at its three hospitals, the federal Office of Civil Rights (OCR) reports. 

OCR launched the investigation in 2009, following complaints by two unnamed celebrities that their medical records had been compromised. The government probe revealed that from 2005 to 2008, "unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients," according to an OCR press release.

The Los Angeles Times reports that violations allegedly occurred at all three UCLAHS hospitals: Ronald Reagan UCLA Medical Center, Santa Monica UCLA Medical Center, and Orthopaedic Hospital and Resnick Neuropsychiatric Hospital, which are regarded as a single unit.

The hospital had disclosed in April 2008 that it had discovered that several employees had snooped into the patient records of dozens of celebrities, including Britney Spears, Tom Cruise and Maria Shriver.

When the alleged violations came to light in 2008, the California legislature passed a law that imposed escalating fines on hospitals for patient privacy breaches. The state fined UCLAHS $95,000 in 2009, reportedly in connection with the medical records of the late Michael Jackson.

The UCLAHS settlement with OCR is much smaller than previous HIPAA settlements, including those involving CVS Caremark ($2.25 million) and Rite Aid ($1 million).

As part of its settlement, UCLAHS agreed to institute new security and privacy policies, improve employee training, take action against employees who violate privacy rules, and designate an independent monitor to oversee compliance.

In a statement, UCLAHS said, "The UCLA Health System considers patient confidentiality a critical part of our mission of patient care, teaching and research. Over the past three years, we have worked diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities."

To learn more:

--Read the OCR press release
--See the UCLAHS statement
--Check out the Los Angeles Times story

Related content:
UCLA staff accused of viewing Britney Spears' records
Hospital system fires 32 for peeking at EMRs
Internal issues are a bigger health IT security threat than hackers
EHRs cited as data breaches continue upward climb
Office of Civil Rights carrying out mandate to enforce HIT security