UCLAHS Settles Potential HIPAA Violations
The HHS OCR has announced its settlement with the University of California Los Angeles Health System (UCLAHS) for potential violations of the HIPAA Privacy and Security Rules. The settlement and resulting Resolution Agreement resolved two separate complaints alleging UCLAHS employees repeatedly accessed the electronic protected health information (PHI) of two celebrity patients out of curiosity.
The OCR investigations which began in June of 2009 found that throughout 2005-2008, employees of UCLAHS accessed the PHI of patients without reason. OCR also found that UCLAHS had failed to provide and/or document appropriate HIPAA training for its employees, implement appropriate security measures and assess and/or apply sanctions against employees who accessed PHI without reason.
UCLAHS is required under the Resolution Agreement to pay $865,500 and implement a corrective action plan that includes putting into place HIPAA privacy and security policies approved by OCR to address permissible and impermissible uses and disclosures of PHI as well as training and appropriate sanctions against employees for non-compliance. UCLAHS is also required by the Resolution Agreement to designate an independent monitor to assess UCLAHS’s compliance with the plan over the next three (3) years.
The Director of OCR, Georgina Verdugo, stated:
Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health informaiton to satisfy their own personal curiosity.
You can read the full Resolution Agreement here and the HHS press release here.
