The University of California at Los Angeles Health System (UCLAHS) has agreed to settle potential HIPAA violations stemming from an investigation conducted by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). UCLAHS has agreed to pay $865,500, along with implementing a plan of correction to ensure future compliance with HIPAA.
The investigation was sparked by two separate complaints filed with OCR from two celebrity patients. Allegedly, UCLAHS employees repeatedly viewed the electronic health information of these patients without the necessary authorization. OCR also discovered that the employees looked at the electronic protected health information of a number of other patients over a span of three years.
Under HIPAA, entities must reasonably restrict access to patient information to those employees who have a legitimate work-related reason to view the information. Furthermore, entities are required to sanction employees who have violated these policies. OCR maintains a firm stance that entities should properly train all employees about the current laws protecting patient health information and should have policies in place to ensure compliance with these policies.
As part of the settlement agreement, UCLAHS has agreed to implement a training program for all UCLAHS employees who use protected health information, to sanction any employees who violate the law, and to use an independent monitor to evaluate proper compliance with the plan.
HIPAA privacy rules grant patients the right to have their health information protected against the unlawful use by employees. This recent enforcement is yet another example of the OCR’s more aggressive enforcement of HIPAA violations. HHS OCR stresses the importance of having a compliance plan in place to protect the health information of patients, and furthermore, that entities will continue to be held accountable for any unlawful access to the information. If you have any questions regarding protection of protected health information (PHI), electronic protected health information (EPHI), or creating a HIPAA policies and procedures to comply with the HIPAA Privacy or HIPAA Security rules, please contact a Wachler & Associates attorney at 248-544-0888.