On July 5, 2011, the UCLA Health System (UCLAHS) agreed to pay $865,500 and enter into a three-year Corrective Action Plan (CAP) in order to settle Health Insurance Portability and Accountability Act (“HIPAA”) complaints investigated by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the fourth HIPAA fine/settlement this year. This alert discusses the complaints, settlement, and take aways.
The complaints against UCLAHS alleged that from 2005 through 2008: (i) a number of UCLAHS employees examined patient electronic protected health information (PHI) without patients’ authorization, (ii) UCLAHS did not establish and document required HIPAA privacy training for employees, (iii) UCLAHS did not appropriately sanction employees that accessed electronic PHI without authorization, and (iv) UCLAHS did not implement appropriate security measures to reduce unauthorized access to electronic PHI. UCLAHS does not admit liability in the settlement agreement with the OCR.
In addition to the fine, UCLAHS agreed to promptly review, revise, and maintain appropriate security policies and procedures; distribute and continuously update the policies and procedures; actively train employees with respect to the policies and procedures; prepare annual reports regarding compliance with the CAP; and designate a monitor approved by the OCR to review compliance with the CAP on a continuous basis over the next three years.
Following the settlement, OCR Director Georgina Verdugo stated, “Covered entities [under HIPAA] are responsible for the actions of their employees…Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”
The complaints against UCLAHS originated when two “celebrity patients” treated at UCLAHS facilities suspected that employees “repeatedly and without permission” accessed the celebrities’ electronic PHI. In connection with these allegations and suspicions that unauthorized viewing of electronic PHI may be widespread, California enacted stricter privacy laws in 2008 to combat the practice.
There is no question that OCR has stepped up its enforcement activities and all indications are that additional fines and penalties will be assessed against covered entities and business associates as a result of OCR investigations. The take away is that covered entities and business associates should make HIPAA compliance a top priority, including policies and procedures and employee training.