On July 6th, the HHS Office of Civil Rights concluded a Resolution Agreement and Corrective Action Plan with the UCLA Health System (UCLAHS) to address allegations that numerous UCLAHS employees had “repeatedly and without a permissible reason” examined the electronic medical records of UCLAHS patients. While the high profile patients whose files were allegedly viewed (the late Farah Fawcett and then first-lady Maria Shriver) likely spurred HHS toward enforcement in this particular instance, what remains is an expanding track record of HIPAA enforcement by OCR. What this means for covered entities and business associates (when OCR begins to enforce the expanded scope of HIPAA from the HITECH Act amendments) is that the potential for penalties and expensive remediation is increasingly real and increasingly likely.

The allegations of the UCLAHS incident were essentially that employees were curiously snooping into the health files of specific patients in the hospital system during two periods in 2005 and 2008. OCR further asserted that UCLAHS did not provide and/or document the provision of appropriate Privacy Rule and/or Security Rule training; that UCLAHS failed to appropriately sanction those employees impermissibly viewing patient files; and that the health system failed to implement suitable security safeguards to reduce the risk of unauthorized access to patient files. Therefore, while the allegations ostensibly involved violations of the Privacy Rule, OCR asserted that inadequate Security Rule implementation facilitated the disclosures. As with all such Resolution Agreements, the covered entity in question does not admit liability in settling the claims.

Because the allegations of employee snooping triggered both Privacy Rule and Security Rule compliance claims, the three year Corrective Action Plan (CAP) incorporates a series of remediation efforts and assessments that are to be available to OCR. These include: revision of applicable Privacy Rule and Security Rule policies within UCLAHS, for which the CAP provides specific requirements as to content; training and documentation of training on the revised policies; designation of an independent external assessor to conduct three annual assessments of UCLAHS’s compliance with the requirements of the CAP.

UCLAHS and other entities facing this situation in the future will now enter a series of discussions with OCR as UCLAHS seeks OCR’s approval of the independent assessor and OCR subsequently provides detailed feedback on the draft work plan of the assessor. Unlike the requirements of a consent order from the FTC, OCR is an active participant in the interviewing and approval of the assessor as well as the scope and detail of how the assessment will be conducted. In addition to the three annual assessments that will be conducted, UCLAHS will have its own responses to prepare after each assessment plus annual reports conveying the organization’s update on the prior year’s compliance.

While HHS had been criticized in the past over a lack of Privacy Rule and Security Rule enforcement, the last few years have silenced many of those critics. OCR has now enforced the Privacy and Security Rules in different contexts, including the failure to properly dispose of hardcopy PHI, the failure to grant patient access to health records, the improper disclosure (i.e. loss) of sensitive patient files, and now an improper but solely internal disclosure. Between the increased activity of OCR in response to the self-reporting requirements of the breach notification rule plus the ability of state attorneys general to enforce HIPAA violations on behalf of their constituencies, those subject to the Privacy Rule and Security Rule would be well served to review and reassess their existing compliance programs for content, training, and enforcement. Incidents will always happen – even to those best prepared organizations – but a robust program will decrease the potential for such incidents and will often help OCR see that the incident was a one-off circumstance rather than the result of systemic error.