14 DAY TRIAL // The University of California at Los Angeles Health System (UCLAHS) has agreed to pay $865,500 in order to settle two potential violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) launched an investigation after receiving complaints from two celebrities that their files were accessed without authorization by UCLAHS.
The probe revealed that multiple employees looked at the health information of numerous UCLAHS patients without permission between 2005 and 2008.
According to HIPAA 's privacy and security rules, medical facilities must make reasonable efforts to restrict access to patient information only to authorized personnel. Any employee who violates these polices should be sanctioned.
"Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider," said OCR Director Georgina Verdugo.
"Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law," she added.
As part of the settlement, UCLAHS has agreed to implement security and privacy policies under the guidance of OCR, to conduct staff trainings regarding the handling of protected information, to sanction employees who violate the policies, and to designate an independent monitor who will assess its compliance for three years.
This is the third HIPAA monetary penalty issued by HHS this year. In February the OCR issued a 4.3 million fine to Maryland-based Cignet for refusal to provide patients with access to their records. That same month, Massachusetts General Hospital agreed to settle HIPAA violation stemming from the loss of patient data for $1 million.
"Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity," Verdugo said.