In the latest big-ticket enforcement action for alleged HIPAA privacy and security violations, the University of California at Los Angeles Health System (UCLAHS) has agreed to pay the U.S. Department of Health and Human Services (HHS) $865,500 to settle allegations the hospital violated HIPAA’s privacy and security rules.
The settlement, announced July 7, resolves two separate complaints filed with HHS’ Office for Civil Rights (OCR) on behalf of two celebrities who were treated at UCLAHS. The complaints alleged that hospital employees who didn’t have a job-related reason to look at these individuals’ records repeatedly did so anyway.
When OCR investigated these complaints, it found that from 2005 to 2008, unauthorized employees repeatedly looked at the electronic protected health information (PHI) of many other UCLAHS patients as well, according to the agency.
In addition to the monetary settlement, the “resolution agreement” includes a corrective action plan (CAP) aimed at remedying gaps in its HIPAA compliance. The CAP involves:
- implementing privacy and security policies and procedures approved by OCR;
- conducting “regular and robust” training for all UCLAHS employees who use PHI;
- sanctioning offending employees; and
- designating an independent monitor to assess UCLAHS compliance with the plan over three years.
In a statement, UCLAHS officials said they’ve improved their privacy practices and security capabilities steadily since 2008, and will keep at it. “We appreciate the involvement and recommendations made by OCR in this matter and will fully comply with the plan of correction it has formulated,” said UCLAHS CEO David Feinberg.
The resolution agreement, including the CAP, can be found on OCR’s website.