On July 7, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced it had reached an agreement with the Regents of the University of California, on behalf of the University of California at Los Angeles Health System (UCLAHS), to settle alleged violations of the HIPAA Privacy and Security Rules.   Under the Resolution Agreement, UCLAHS has agreed to pay $865,5000 to settle the alleged violations and to enter into a corrective action plan (CAP) to correct the alleged compliance deficiencies in exchange for a release of liability from OCR.  UCLAHS, which includes the UCLA Ronald Reagan Medical Center, the UCLA Santa Monica Medical Center and Orthopedic Hospital, the Resnick Neuropsychiatric Hospital and the Faculty Practice Group of UCLA, admitted no liability in entering into the Resolution Agreement and CAP.

The settlement stems from separate complaints filed with OCR on behalf of two celebrity patients alleging that UCLAHS workforce members repeatedly, without permissible reason, accessed their electronic protected health information (PHI).   UCLAHS allegedly did not implement sufficient security measures to reduce the risks of impermissible access to PHI by unauthorized users, did not provide and/or document appropriate privacy and security training for workforce members, and did not sanction and/or document sanctions imposed on workforce members who accessed PHI inappropriately.  HIPAA requires covered entities to reasonably restrict access to patient information to only those employees who have a legitimate reason to access PHI, to train workforce members on privacy and security policies and procedures, and to sanction any employee who accesses PHI inappropriately.  As part of the CAP, UCLAHS will implement privacy and security policies and procedures approved by OCR, conduct regular training sessions for all UCLAHS employees who use PHI, sanction employees who violate the policies and procedures, and designate an independent monitor to assess UCLAHS’s compliance with the plan over a three year period.  For a copy of the Resolution Agreement and CAP click here.  For a copy of the HHS press release, click here.