The UCLA Health System will pay $865,500 as part of a settlement agreement because its employees snooped into celebrity patients' medical records resulting in a violation of the Health Insurance Portability and Accountability Act of 1996, or HIPPA violation .
The U.S. Department of Health and Human Services on Thursday said the agreement was reached following an investigation by its Office of Civil Rights, or OCR, into allegations that UCLA Health System violated the privacy and security rules of HIPPA.
The Office of Civil Rights enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives people rights over their protected health information and sets rules and limits on uses and disclosures of that health information.
The federal agency said UCLA Health System has committed to a corrective action plan to fix any gaps in its compliance with the rules.
The agreement resolves two separate celebrity complaints filed with the Office of Civil Rights after receiving care at UCLA Health Systems, according to a Department of Health and Human Services release.
The complaints alleged that employees at UCLA Health Systems repeatedly looked at the electronic protected health information of the celebrity clients without the patients' permission. Furthermore, the Office of Civil Rights' probe into the complaints revealed that unauthorized employees repeatedly accessed electronic protected health information of other UCLA Health Systems patients between 2005 and 2008, the federal agency release stated.
Any entity covered under HIPPA, through policies and procedures, must reasonably restrict access to patient information to only those employees with a valid reason to view that information. It must sanction any employee who is found to have violated these policies, Health and Human Services said in statement.
Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider, said Director Georgina Verdugo, director of Office of Civil Rights in a statement. Employees must clearly understand that casual review for personal interest of patients' protected health information is unacceptable and against the law.
The UCLA Health System issued statement noting that it considers patient confidentiality a critical part of its mission of patient care, teaching and research. The hospital system further stated that over the past three years it has worked to strengthen staff training, implement enhanced data security systems and increase its auditing capabilities.
Our patients' health, privacy and well-being are of paramount importance to us, said Dr. David T. Feinberg, chief executive officer of UCLA Hospital System and associate vice chancellor for health sciences. We appreciate the involvement and recommendations made by OCR in this matter and will fully comply with the plan of correction it has formulated. We remain vigilant and proactive to ensure that our patients' rights continue to be protected at all times.
Health and Human Services said the corrective action plan requires that UCLA Health System implement Privacy and Security policies and procedures approved by the Office of Civil Rights and to conduct regular and robust trainings for all that UCLA Health System employees who use protected health information. The health system must also sanction offending employees and designate an independent monitor who will assess UCLA Health System compliance with the plan over three years.