University of California Settles HIPAA Privacy and Security Case involving UCLA Health System FacilitiesNew! Get Your HIPAA/HITECH Compliance Checklist PDF from The HIPAA Academy
Following an investigation by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the University of California at Los Angeles Health System (UCLAHS) has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules. The Resolution Agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients. Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies. “Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the every day operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.” The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years. “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo. Complimentary - HIPAA & HITECH Compliance Checklist PDF Learn more about the Certified HIPAA Professional (CHP) and Certified Security Compliance Specialist (CSCS) Program scheduled to be delivered in Newark, California, August 2-5, 2011. Register today @ www.ecfirst.com. About ecfirst ecfirst is a leader with rich hands-on experience delivering world-class services in the areas of:
 Regulatory Compliance Practice Compliance and Training Certification ecfirst delivers world-class information security and regulatory compliance solutions. With over 1,600+ clients, ecfirst was recognized as an Inc. 500 business – America’s Top 500 Fastest Growing Privately Held Business in 2004 – our first year of eligibility. ecfirst serves a Who's Who client list that includes technology firms, numerous hospitals, state and county governments, and hundreds of businesses across the United States and abroad. A partial list of clients includes Microsoft, Symantec, HP, McKesson, EMC, IBM, Principal Financial, U.S. Army, U.S. Dept. of Homeland Security, U.S. Dept. of Veterans Affairs and many others. ecfirst Differentiators
Have you conducted a HIPAA & HITECH risk analysis exercise? Contact ecfirst
|