On July 6, 2011, the Department of Health and Human Services (HHS) entered into a resolution agreement with the University of California at Los Angeles Health System (UCLAHS) to settle potential violations of the HIPAA Privacy and Security Rules.1 The agreement requires UCLAHS to pay $865,500 and to enter into a three-year corrective action plan designed to address shortcomings in its compliance with the rules.
The UCLAHS Settlement
The settlement resolved complaints that UCLAHS employees repeatedly and without permissible reason accessed the protected health information of two celebrity patients who received care at UCLAHS. The complaints touched off an investigation by the HHS Office of Civil Rights (OCR), which found additional incidents of impermissible records “peeking” by unauthorized employees. The investigation also revealed a failure to provide and/or document the provision of appropriate HIPAA training programs, failure to sanction and/or document sanctions imposed on employees, and failure to implement appropriate security measures to reduce the risks of impermissible access by unauthorized users. In addition to the $865,500 payment, UCLAHS agreed to a three-year corrective action plan requiring extensive review and approval by HHS of its privacy and security practices.
Compliance Best Practices
The UCLAHS settlement should serve as a cautionary tale to health care entities and other entities required to comply with the HIPAA Privacy and Security Rules. The settlement indicates that HHS takes records snooping allegations seriously and that covered entities must take responsibility for the actions of their employees. As stated by OCR Director Georgina Verdugo in the HHS press release: “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.” In view of the UCLAHS settlement, covered entities should consider reviewing their HIPAA compliance efforts with an eye towards:
- ensuring the provision of appropriate Privacy and Security Rule training for all workforce members, and documenting such training efforts;
- applying appropriate sanctions to workforce members who impermissibly access protected health information, and documenting such disciplinary actions; and
- implementing security measures sufficient to reduce the risks of impermissible access to protected health information by unauthorized users to a reasonable and appropriate level.
Effective compliance requires adequate training, meaningful implementation of policies and procedures, regular internal audits and reviews, and prompt action in response to apparent incidents.
Finally, covered entities should take note that the settlement may be indicative of a tightening enforcement environment. While for many years, despite having the authority to do so, HHS did not appear to vigorously enforce the Privacy and Security Rules, recent actions suggest a different climate. The UCLAHS settlement marks the third major action this year. In February, HHS assessed civil money penalties totaling $4.3 million on Cignet Health of Prince George’s County, Maryland (the first civil money penalties issued by HHS for HIPAA Privacy Rule violations), and entered into a settlement with Massachusetts General Hospital requiring a $1 million payment and three-year corrective action plan for potential Privacy Rule violations.