UCLA Health Cleared in Landmark Patient Privacy Case
If a healthcare employee illegally accesses the medical records of a patient and discloses that information to a third party, is the healthcare provider liable to pay damages? According to a California jury, they are not. The recent ruling on the Lozano Vs UCLA Health case could well set a legal precedent, with the lawsuit almost certain to be named in future patient privacy breach cases.
Norma Lozano, a patient of the UCLA Health System, had her privacy violated when a medical assistant, Alexis Price, illegally accessed her medical records, took a photo of her medical history, and showed the photo to her current boyfriend. That individual was a former partner of Lozano. Price had been provided with the login credentials of UCLA Health physician, Dr. John D. Edwards, in order to conduct certain work duties. Those login credentials were also allegedly shared with other members of his office staff.
Lozano clearly had her privacy violated, and Price appeared to have illegally accessed and copied her medical records with apparent intent to cause Lozano harm. That proved to be the case, with Lozano claiming she had suffered mental distress and anxiety as a result of the disclosure of her private and confidential medical records. She sought damages of $1.25 million from UCLA Health. Dr. Edwards was also originally also named in the lawsuit, although was later removed after settling with Lozano out of court.
After the removal of Dr. Edwards from the lawsuit, the case revolved around the role UCLA Health played in the privacy violation. Lozano claimed the healthcare provider had not done enough to keep her medical records private and confidential.
During the trial, UCLA Health explained that in some cases, an additional level of security is added to certain patients’ medical files when there is believed to be a high risk of those files being accessed inappropriately. This measure is usually adopted when celebrities or other high profile individuals are admitted to its hospitals.
This extra layer of security is a “break the glass” measure. It requires a password to be entered twice before access to the records is possible, and a reason for accessing those records must also be entered. This measure is useful in preventing records being accessed by staff without login information, although if someone has a login name and password, it would be unlikely to deter them from gaining access. Another security measure which could have been employed, which arguably could have prevented access to the records being gained, is the addition of a biometric identification factor. This would ensure that even if login credentials were shared, access to files could not be gained. UCLA Health did not use this extra layer of security in its facilities. Few healthcare providers do.
During the trial, expert witnesses were called and testified that the level of protection used by UCLA Health was similar to that used in hospitals throughout the country. It took the jury about an hour of deliberation before the verdict was returned. The jury found UCLA Health not to be liable for the privacy violation.
The attorney representing UCLA Health, Bryan Heckenlively from law firm Munger Tolles & Olson LLP, released a statement after the verdict saying, “We are gratified that the jury paid such close attention throughout the trial, considered the evidence carefully, and correctly recognized that any release of information was the product of Dr. Edwards’s breaking UCLA’s rules and Alexis Price intending to do something malicious.”
While this case has now been closed, it does not mean that Dr. Edwards, Alexis Price or UCLA Health are in the clear. The incident violated the Health Insurance Portability and Insurance Act (HIPAA), and as such, all could be investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR, as the main enforcer of HIPAA Rules, could take action against Dr. Edwards and Price for the privacy violation. Action could also potentially be taken against UCLA Health, if the OCR discovers that the healthcare provider violated HIPAA Rules by failing to provide training on data privacy and security, did not monitoring access to medical records regularly, or was aware of the sharing of login information by staff members and did not do enough to tackle the policy violation. According to the lawsuit, the sharing of login details and the actions of Price and Dr.Edwards was in violation of hospital policies.