UCLA Health System in Los Angeles has agreed to pay the federal government $865,000 to resolve allegations that its employees violated federal patient privacy laws by snooping in the medical records of two celebrity patients.
According to the U.S. Department of Health and Human Services, between 2005 and 2008, unauthorized UCLA employees repeatedly looked at the electronic files of numerous other patients, as well.
“Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law,” said Georgina Verdugo, director of the HHS Office for Civil Rights, in a statement.
Breaches of patient privacy at UCLA have been a source of embarrassment for the health system for several years. In 2009, we reported how Farrah Fawcett set up a sting operation to prove to UCLA that one of its employees was leaking information about her cancer to the National Enquirer. In an exclusive interview, Fawcett criticized UCLA for failing to protect her medical records from nosy employees.
"It's much easier to go through something and deal with it without being under a microscope," she said. "It was stressful. I was terrified of getting the chemo. It's not pleasant. And the radiation is not pleasant."
Fawcett, who died in June 2009, was not the only one whose records were inappropriately accessed by UCLA employees. Other celebrities included pop star Britney Spears and former California First Lady Maria Shriver. Their ordeal prompted the California Legislature to pass a law allowing fines against hospitals that do not protect patient privacy.
In May 2009, we reported that Kaiser Permanente’s Bellflower hospital was fined $250,000 for failing to protect the privacy of Nadya Suleman, mother of the octuplets. UCLA also was fined $95,000 last year by the state health department for similar breaches involving pop singer Michael Jackson’s death.
Separately, in January 2010, a former UCLA employee pleaded guilty to four counts of illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients. Huping Zhou was sentenced to four months in federal prison in April 2010.
The agreement with HHS requires UCLA to conduct regular trainings for all health-system employees who have access to patient records, to sanction employees who break the rules and to designate an independent monitor who will assess its compliance over the next three years.
In a statement, UCLA said it has worked “diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities.”
"Our patients' health, privacy and well-being are of paramount importance to us," said Dr. David T. Feinberg, CEO of the UCLA Hospital System and associate vice chancellor for health sciences, in the statement. "We remain vigilant and proactive to ensure that our patients' rights continue to be protected at all times."
Since 2003, when HHS began enforcing the privacy provisions of the Health Insurance Portability and Accountability Act, it has received 61,333 complaints. Of those, 20,877 have been investigated and 13,745 resulted in corrective actions of some kind.
Only a handful have resulted in monetary settlements or fines. The largest fine was issued earlier this year against Cignet Health of Prince George’s County, Md. It was fined $4.3 million for violating 41 patients’ rights by denying them access to their medical records. Other large settlements have included CVS Pharmacy Inc. and Rite Aid Corp., both of which were accused of disposing of patient records and identifying information in unsecured dumpsters and trash cans.
