On July 6, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ("HHS-OCR") entered into a resolution agreement with the Regents of the University of California, on behalf of the University of California at Los Angeles Health System ("UCLA Health System") to settle allegations that UCLA Health System violated the HIPAA Privacy and Security Rules ("Resolution Agreement"). Under the Resolution Agreement, UCLA Health System agreed to pay $865,000 and implement a corrective action plan ("CAP") in order to settle allegations that it violated the HIPAA Privacy and Security Rules after allegations were made that employees improperly accessed the protected health information ("PHI") of UCLA Health System patients, including a number of celebrity patients.
Pursuant to the three year CAP, UCLA Health System must:
- Develop, maintain, and revise written policies and procedures governing (1) permissible and impermissible use and disclosure of PHI, (2) security awareness standards, information access management standards, workstation use standards, authorization and/or supervision standards, and workforce clearance standards, (3) application of sanctions against workforce members for violations of the policies set forth in 1 and 2 above, and (4) training of workforce members to ensure that they know how to comply with the policies set forth in 1 and 2 above.
- Notify HHS-OCR of any "Reportable Events" which include violation of the policies and procedures required by the CAP.
- Distribute the policies and procedures, and provide training, to workforce members and obtain employee certification of training and receipt of policies and procedures.
- Appoint a monitor to investigate, assess, and make determinations regarding UCLA Health System’s compliance with the CAP and report such finding to HHS-OCR.
- Submit a CAP implementation report, including certain attestations regarding UCLA Health System’s compliance with the CAP requirements, and an annual report, describing its compliance with the CAP, including a summary of reportable events (i.e., violations of the CAP).
HHS-OCR Director, Georgina Verdugo stated in the HHS-OCR press release that, "[c]overed entities are responsible for the actions of their employees. This is why it is vital that training and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider." Notably, Verdugo also stated that, "[e]mployees must clearly understand that casual review for personal interest of patients’ [PHI] is unacceptable and against the law … [and] [e]ntities will be held accountable for employees who access [PHI] to satisfy their own personal curiosity." Verdugo’s comments support the view that covered entities should review, and where appropriate, revise their policies regarding access to PHI and conduct training that emphasizes that HIPAA does not merely prevent disclosure of PHI (as most state laws historically have), but that it prohibits even the use, which includes the viewing, of PHI without a legitimate purpose.