On July 6, 2011, the US Department of Health and Human Services announced that the University of California at Los Angeles Health System (UCLAHS) has agreed to settle HIPAA violations for $865,500
and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules. The investigation follows two separate complaints filed on behalf of two celebrity patients alleging that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these and other UCLAHS patients. For the press release, resolution agreement, corrective action plan, and other information, please see http://www.hhs.gov/ocr/privacy/hipaa/news/uclahs.html and for an article on the settlement in iHealthBeat please see: http://www.ihealthbeat.org/articles/2011/7/8/ucla-health-system-agrees-to-pay-865k-over-privacy-breaches.aspx -or- http://tinyurl.com/64npazj
So, all the buzz points to disclosures about two celebrities, but a reading of the press release alludes to “other UCLAHS patients” which means that there may be individuals who were perhaps habitual offenders. So, the $865.5K fine is not just for information about two celebrities. The question is, why did it take celebrity cases to get this problem recognized? Don’t allow your organization to get caught in not adequately auditing employee access. Even if you don’t do a regular random check, or a more thorough audit, you should at least audit access of the information related to any persons of note, be they international, national, or local. Also, look for improper access of family members’ information. There are a few relatively easy audits you can do that will help you understand how good your compliance is, and if you find problems, you have to go deeper, but you at least need to look for the obvious before HHS OCR does.