On June 7, 2011, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $865,500 settlement with the University of California at Los Angeles Health System (“UCLA Health System”) for violations of the HIPAA Privacy and Security Rules. UCLA Health System employees were accused of violating the Privacy Rule by improperly accessing the protected health information (“PHI”) of patients, including several high-profile celebrities who filed complaints with HHS. A subsequent investigation by HHS’s Office for Civil Rights (“OCR”) revealed that in addition to neglecting to sanction the employees who had improperly accessed patient PHI, UCLA Health System had failed to train its employees on the HIPAA Privacy and Security Rules or implement security measures to “reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.”
In addition to paying an $865,000 “resolution amount,” UCLA Health System entered into a corrective action plan with OCR that required it to revise its HIPAA Privacy and Security policies and submit them to OCR for approval. Further, UCLA Health System must present the revised policies to all employees who access PHI “within 30 days of HHS approval of such Policies and Procedures and to new members of the workforce who have access to protected health information within 30 days of their beginning of service” and require “a signed written or electronic initial compliance certification from all members of the workforce who have access to protected health information, stating that the workforce members have read, understand or know where to seek information about and will abide by such Policies and Procedures.” UCLA Health System also is obligated under the corrective plan to institute a thorough HIPAA training program, engage a compliance monitor, and submit an implementation report and annual reports.
The UCLA Health System enforcement action is the third major action taken by HHS in 2011 and brings the total “resolution amounts” for the first half of 2011 to almost $6.2 million. Prior to 2011, HHS had taken only four major enforcement actions with resolution amounts totaling approximately $3.4 million. Both the number of actions taken and the amounts involved indicate HHS’s aggressive enforcement intentions thus far in 2011, which were echoed by OCR Director Georgina Verdugo. In the press release announcing the settlement with UCLA Health System, Verdugo stated that “OCR vigorously enforces [HIPAA’s] protections” and that “entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.”