UCLA Medical Center agrees to settle HIPAA violation charges for $865K

Action on celebrity snooping case seen as another sign of tougher enforcement of security, privacy rules by HHS

After years of being accused of doing little to enforce Health Insurance Portability and Accountability Act's security and privacy rules, the U.S. Department of Health and Human Services appears to be finally getting serious about cracking down on offenders.

This week, HHS announced that the University of California at Los Angeles Health System has agreed to pay an $865,000 fine and commit to a multi-year corrective action plan to settle potential HIPAA violations.

The corrective plan requires the hospital to implement HHS-approved security and privacy procedures, as well as to conduct "regular and robust" training of all UCLA health system employees that use protected health information. The plan requires the hospital to sanction employees who violate rules and to appoint an independent assessor to audit compliance with the requirements over a three-year period.

The size of the fine is likely to be a drop in the bucket for UCLA, analysts said. Even so, it sends an important message, they said. "This is new behavior on the part of HHS and it stems from the new enforcement imperatives Congress put into HITECH because the feds had such an abysmal enforcement record," said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation.

"This is HHS finally starting to protect citizens," from privacy violations by healthcare entities, she said. "Nearly a decade of no enforcement at all convinced the health care and health IT industries that there was no point in investing in state-if-the-art security."

Today's settlement follows an investigation by HHS's Office of Civil Rights into complaints by two unidentified celebrity patients that UCLA hospital staff had inappropriately accessed their electronic protected health information.

The OCR investigation uncovered numerous other instances between 2005 and 2009 where hospital employees had looked at protected health information belonging to other patients as well.

Statements announcing the settlement that were released today by the HHS and UCLA do not identify any specific violation. However, back in April 2008 the hospital had disclosed that it had detected whole groups of employees and even doctors snooping on the medical records of celebrities such as Tom Cruise and Farrah Fawcett.

At that time, the hospital had noted that the snooping went back to 1995. One person was indicted for selling data acquired from such snooping to the media.

This marks the third time this year that HHS has cracked down on healthcare organizations that have been found in violation of HIPAA rules. In February, HHS announced that it had imposed a civil monetary penaltyof $4.3 million on health insurer Cignet Health for refusing to provide patients with access to their medical records as required under HIPAA.

That was the first civil penalty handed out since HIPAA went into effect more than 10 years ago.

Again in February, HHS said it had also gotten Massachusetts General Hospital to agree to pay $1 million to settle HIPAA violation charges.

Peel said it is hard to know if the settlement amount is even close to adequate without knowing how many people might have been impacted by the snooping. But based on current health care data breach statistics, the assessed fine was probably "extremely low."

"Clearly this settlement was intended to signal that it's time at last for the health care industry to beef up data security and protect patients' sensitive health data from snooping and misuse," she said.

Even so, the fine and corrective action plan do little to protect the unknown number of victims whose private data was compromised by the snooping, she said. Everyone who was a patient at UCLA between 2005 and 2009 should be getting credit monitoring and medical ID theft monitoring services, she said.

Peter MacKoul, president of consulting firm HIPAA Solutions, said the settlement underscores why health care entities need to have both technical controls and business processes for controlling access to protected data.

Many health care organizations have little real information on the number of people within their organizations that have access to electronic medical records, and even less information on those who might have actually accessed those records, he said.

He said that is why it is important for healthcare entities to implement role-based access control measures and processes for ensuring compliance with those measures.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gov't Legislation/Regulationdata securityregulationsecuritygovernmentdata protectionprivacy

More about Department of HealthTopicUCLA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place