The UCLA Health System in Los Angeles will pay a $865,500 fine, known as a "resolution agreement," and implement a three-year corrective action plan to improve its privacy and security protections following a settlement with the Department of Health and Human Services' Office for Civil Rights, which enforces the HIPAA privacy and security rules.

OCR started an investigation after receiving separate complaints in June 2009 from two celebrity patients of unauthorized access to their records. The investigation revealed that from 2005 to 2008 "unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients," according to an OCR statement. The investigation further found that the health system failed to implement sufficient security measures or document appropriate training or sanctions.

UCLA Health's corrective action plan will include specified minimum content in revised and new policies and procedures, as well as reportable events. The plan also spells out training programs, designation of an independent monitor, and mandates an implementation report and annual reports be sent to OCR.

UCLA Health in the resolution agreement does not admit liability but HHS/OCR makes clear in the document its belief of culpability. "This Agreement is not a concession by HHS that the Covered Entity is not in violation of the Privacy and/or Security Rules and not liable for civil money penalties."

The resolution agreement and corrective action plan are available here. UCLA Health System has issued the following statement:

"Following an investigation by the U.S. Department of Health and Human Services' Office for Civil Rights into alleged federal privacy and/or security violations between 2005 and January 2008, the UCLA Health System has agreed to enter into a resolution agreement/corrective action plan with the OCR and pay a settlement of $865,500. The UCLA Health System issued this statement:

"The UCLA Health System considers patient confidentiality a critical part of our mission of patient care, teaching and research. Over the past three years, we have worked diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities.

"Working collaboratively with the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), the UCLA Health System continues to take measures to demonstrate our ongoing commitment to protecting our patients' privacy. Everyone, from nurses and doctors to staff and students, views patient confidentiality as a constant, high priority and an essential component of patient care.

 "Our patients' health, privacy and well-being are of paramount importance to us," said Dr. David T. Feinberg, CEO of the UCLA Hospital System and associate vice chancellor for health sciences. "We appreciate the involvement and recommendations made by OCR in this matter and will fully comply with the plan of correction it has formulated. We remain vigilant and proactive to ensure that our patients' rights continue to be protected at all times." 


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access