The Department of Health and Human Services (HHS) entered into its third largest settlement for potential HIPAA privacy and security rule violations this week, reaching a resolution agreement Tuesday of $865,500 with the University of California at Los Angeles Health System (UCLAHS).
UCLAHS has also committed to a corrective action plan in order to fix "gaps in its compliance" with HIPAA's privacy and security rules, , according to a report on the HHS website published Wednesday.
The Office for Civil Rights (OCR), which enforces HIPAA under HHS, investigated the health system following two separate complaints filed by two celebrity patients. OCR said UCLAHS employees repeatedly and without permissible reason looked at their electronic personal health information in addition to other UCLAHS patients.
This week's settlement ranks behind CVS Caremark Co. ($2.25 million, February, 2009) and Rite Aid ($1 million, July 2010) for the amount of money reached in an agreement with OCR for potential HIPAA privacy and security rule violations.
This February, OCR fined Cignet Health $4.3 million civil money penalty, the largest fine for such violations. It was not a settlement.
A UCLAHS official said the employees cited in the investigation received some level of discipline but did not specify further.
UCLAHS released a statement today saying it "considers patient confidentiality a critical part of our mission of patient care, teaching and research. Over the past three years, we have worked diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities."
The Los Angeles health system -- which includes 12,000 employees and 856 beds at its three licensed facilities and also 90 clinics -- says it worked collaboratively with OCR and "continues to take measures to demonstrate our ongoing commitment to protecting our patients’ privacy."
“Our patients’ health, privacy and well-being are of paramount importance to us,” Dr. David T. Feinberg, CEO of the UCLA Hospital System and associate vice chancellor for health sciences, said in the statement. “We appreciate the involvement and recommendations made by OCR in this matter and will fully comply with the plan of correction it has formulated. We remain vigilant and proactive to ensure that our patients’ rights continue to be protected at all times.”
Pages
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.