Charles Ornstein reports:
UCLA Health System in Los Angeles has agreed to pay the federal government $865,000 to resolve allegations that its employees violated federal patient privacy laws by snooping in the medical records of two celebrity patients.
According to the U.S. Department of Health and Human Services, between 2005 and 2008, unauthorized UCLA employees repeatedly looked at the electronic files of numerous other patients, as well.
Read more on Pro Publica. The L.A. Times also covers the news.
The settlement concerns charges involving more than one employee and more than one incident of snooping. The incidents mentioned have been previously covered on this blog. As the filing explains:
On June 5, 2009 and June 30, 2009, HHS began investigations of two separate complaints alleging that the Covered Entity was in violation of the Privacy and/or Security Rules. The investigations indicated that the following conduct occurred (“Covered Conduct”):
(i) During the period from August 31, 2005 to November 16, 2005, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of Covered Entity patients, and during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of a Covered Entity patient.
(ii) During the period 2005-2008, a workforce member of Covered Entity employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the electronic protected health information of many patients.
(iii) During the period 2005-2008, Covered Entity did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Resolution Agreement/Corrective Action Plan08-82727 and 08-83510 (University of California Los Angeles Health System) Security Rule training for all members of its workforce to carry out their function within the Covered Entity.
(iv) During the period 2005-2008, Covered Entity failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined electronic protected health information.
(v) During the period from 2005-2009, Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level