The University of California at Los Angeles Health System (UCLAHS) agreed to settle allegations of potential HIPAA violations for $865,500, according to a July 7, 2011 HHS press release.

The alleged violations stemmed from complaints that hospital employees were improperly accessing the protected health information of celebrities. An investigation by the Office of Civil Rights (OCR) revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.

Covered entities should take note that UCLAHS is paying this significant settlement amount despite the fact that the alleged violations were by employees acting in an unauthorized manner. OCR faulted UCLAHS for not having policies and procedures sufficient to ensure that access to patient information is reasonably restricted to only those employees with a valid reason to view the information and that employees found to have violated these policies are sanctioned.

The Director of the OCR stated: “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.”

In addition to the $865,000 settlement, UCLAHS agreed to a corrective action plan that requires UCLAHS to implement HIPAA Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.