HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UCLA Hospitals Receives $865K HIPAA Fine for Failing to Protect Celebrity Medical Records

The Department of Health and Human Services’ Office for Civil Rights has fined the UCLA Health System $865,500 for HIPAA violations caused by allowing the medical records of two celebrity patients to be accessed by non authorized personnel.

The two patients affected by this security breach made complaints about hospital employees having improper access to their medical records and allege the hospital broke the law by failing to control access to their private data. The names of the complainants were not revealed by the OCR.

HIPAA violations are alleged to have occurred at all three of the hospitals operated by UCLA Health System. According to a statement from Dale Tate, spokeswoman for UCLA, Ronald Reagan UCLA Medical Center, Santa Monica UCLA Medical Center and Orthopaedic Hospital and Resnick Neuropsychiatric Hospital are alleged to have violated the Health Insurance Portability and Accountability Act of 1996 with the security breaches that occurred between 2005 and 2009.

During this period there were a number of instances of employees snooping and members and a number of members of staff were fired for looking at the medical records of celebrities including Farah Fawcett, Britney Spears and Maria Shriver, the latter had her data accessed during her time as California First Lady. The high profile privacy violations were reported heavily in the media, with The Times the first to report the disclosures in a 2008 report.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The privacy invasions led to the introduction of new State legislation to increase the financial penalties that could be applied for unauthorized disclosure of patient health information, with the new laws having taken effect on Jan 1, 2009. It was at this time that the Office for Civil Rights started investigating the unauthorized disclosures that had allegedly occurred at the hospital.

The investigation unearthed repeated cases of invasions of patient privacy by employees with at least one case emanating from the nursing director’s office. The OCR reported that in both 2005 and 2008 employees “repeatedly and without a permissible reason” accessed the protected health information of a number of patients.

The settlement agreement did not name the persons concerned, although an article in the L.A Times suggests the timing correlates with Farah Fawcett’s admissions to the Ronald Reagan UCLA Medical Center. The report also proposes that the employee concerned is Lawanda Jackson, an administrative specialist who was fired for allegedly accessing the celebrity’s records and selling then to the National Enquirer.

The settlement is the result of numerous failures to remedy the privacy and security deficiencies at the hospitals and to effectively manage risk. The hospital also failed to implement sufficient controls after security breaches to prevent incidents from reoccurring.

In a statement by Georgina Verdugo, Director of the Office for Civil Rights, he said “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law,” she also confirmed that healthcare providers “will be held accountable for employees who access protected health information to satisfy their own personal curiosity.”

In addition to the financial penalty, UCLA Health System must develop a plan of action to tackle the security deficiencies and advise the OCR of the steps it will be taking to protect patient privacy and prevent future security breaches. The OCR requires regular reports on progress, updates to policies and confirmation of procedures being put into practice for a period of three years. UCLA has now appointed a member of staff to oversee the action plan.

Part of the action being taken includes the provision of further staff training on privacy protection and new policies will be developed to improve security. A new system for monitoring access to patient data will be implemented to ensure that should any member of the staff access patient records, swift action can be taken to mitigate any damage caused.

After the settlement was announced, CE of UCLA Health Stems, Dr. David T. Feinberg, released a statement confirming the healthcare provider’s commitment to protecting the privacy of its patients and said “We appreciate the involvement and recommendations made by [the] OCR in this matter and will fully comply with the plan of correction it has formulated. We remain vigilant and proactive to ensure that our patients’ rights continue to be protected at all times.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.