Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

University of California Pays Close to $1M to Settle Celebrity Health Record Snooping Complaint

Posted By Cynthia Larose on Posted in Uncategorized

Written by Dianne Bourque and Cynthia Larose

The University of California has paid $865,500 to the Office of Civil Rights (OCR) and agreed to a Corrective Action Plan to settle allegations that UCLA Health System (UCLAHS) employees repeatedly snooped in the electronic health records of celebrity patients. 

The OCR’s investigation was prompted by two separate complaints on behalf of celebrity victims.  The investigation revealed that from 2005-2008 employees repeatedly and without authorization accessed electronic health records of these patients. Settlement announcements did not identify either of the specific complaints, but in the past, UCLAHS has identified violations involving the records of Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, Leonardo DiCaprio, Farrah Fawcett and others.   In June of 2010, a UCLA surgeon was sentenced to four months in jail for repeated, unauthorized access to the records of his supervisor and celebrity patients. 

UCLAHS’ corrective action plan requires UCLAHS to implement policies and procedures approved by OCR, to conduct “regular and robust” employee training, to sanction offending employees, and to designate an independent monitor who will assess compliance with the plan over 3 years. 

In the OCR’s press release (see link in last paragraph), one particular sentence highlights the need for covered entities to take all of the requirements of HIPAA/HITECH seriously:

Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections.   Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.

Compliance policies are important.  But we often speak of “policies and procedures” as a complete term.  Written policies are meaningless without (a) procedures to implement those policies, (b) training and awareness to ensure that the policies & procedures actually are communicated to the workforce, and (c) consistent and meaningful follow up to reinforce all of the foregoing. 

More information, including a copy of the Resolution Agreement and Corrective Action Plan is available here.