UCLA Hospitals Receives $865K HIPAA Penalty for Lacking to Safeguard Superstar Medical Reports

The Division of Health and Human Services’ Office for Civil Rights has penalized the UCLA Health System $865,500 for HIPAA breaches triggered by letting the medical reports of 2 superstar patients retrieved by non-authorized people.

The 2 patients affected by this safety infringement made objections concerning hospital workers having inappropriate access to their medical reports and alleged the hospital broke the rule by failing to check access to their confidential records. The names of the complainants were not disclosed by the OCR.

HIPAA breaches are alleged to have happened at all 3 of the hospitals run by UCLA Health System. As per an announcement from spokeswoman for UCLA, Dale Tate, Santa Monica UCLA Medical Center, Ronald Reagan UCLA Health Center and Orthopaedic Hospital as well as Resnick Neuropsychiatric Hospital are suspected to have infringed the Health Insurance Portability and Accountability Law of 1996 with the security infringements that happened between 2005 and 2009.

During this interval there were many cases of workers prying and many members of staff were sacked for seeing at the medical records of superstars including Britney Spears, Farah Fawcett and Maria Shriver, the latter had her information retrieved during her period as California First Lady. The high profile secrecy breaches were reported greatly in the mass media, with The Times the first to inform the revelations in a 2008 article.

The secrecy invasions resulted in the induction of new State law to raise the financial fines that might be applied for an illegal revelation of patient health info, with the new rules implemented since Jan 1, 2009. It was at this time that the Office for Civil Rights began probing the illegal revelations that had allegedly happened at the hospital.

The investigation revealed repeated instances of invasions of patient secrecy by workers with at least one instance originating from the nursing director’s office. The OCR informed that in both 2005 and 2008 workers “repetitively and without an approved reason” retrieved the guarded health info of many patients.

The settlement agreement didn’t name the individuals affected, though an article in the L.A Times hints the timing relates to Farah Fawcett’s confessions to the Ronald Reagan UCLA Medical Center. The statement also suggests that the worker involved is Lawanda Jackson, an administrative expert who was sacked for supposedly retrieving the celebrity’s files and selling them to the National Enquirer.

The settlement is the consequence of many failures to remedy the security and privacy deficits at the hospitals as well as to effectively control risk. The hospital also didn’t succeed to apply adequate controls after security infringements to avoid cases from reoccurring.

In a statement by Director of the Office for Civil Rights, Georgina Verdugo, he said “Workers should undoubtedly know that casual evaluation for personal interest of patients’ safeguarded health info is not acceptable and contrary to the rule,” she also verified that healthcare providers “will be held responsible for workers who retrieve safeguarded health info to satisfy their own personal inquisitiveness.”

In addition to the fiscal fine, UCLA Health System should develop a plan of action to confront the security deficits and recommend the OCR of the measures it will be taking to safeguard patient secrecy and avoid more security infringements. The OCR needs updates to policies, recurring reports on progress and verification of processes being put into practice for a duration of 3 years. UCLA has now hired a member of staff to supervise the action plan.

Part of the measure being taken contains the facility of additional staff HIPAA training on secrecy protection and new plans will be created to increase safety. A new system for checking access to patient data will be applied to make sure that if any member of the staff accesses patient files, a rapid measure can be taken to lessen any damage produced.

After the settlement was declared, Dr. David T. Feinberg, CE of UCLA Health Stems, issued a statement verifying the healthcare provider’s pledge to protect the secrecy of its patients and said “We value the involvement as well as suggestions made by [the] OCR in this subject and will completely abide by the idea of correction it has prepared. We remain cautious and proactive to make sure that our patients’ privileges continue to be safeguarded at all times.”

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.