This week, HHS announced that the University of California at Los Angeles Health System has agreed to pay an $865,000 fine and commit to a multi-year corrective action plan to settle potential HIPAA violations.
The corrective plan requires the hospital to implement HHS-approved security and privacy procedures, as well as to conduct "regular and robust" training of all UCLA health system employees that use protected health information. The plan requires the hospital to sanction employees who violate rules and to appoint an independent assessor to audit compliance with the requirements over a three-year period.
The size of the fine is likely to be a drop in the bucket for UCLA, analysts said. Even so, it sends an important message, they said. "This is new behavior on the part of HHS and it stems from the new enforcement imperatives Congress put into HITECH because the feds had such an abysmal enforcement record," said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation.
"This is HHS finally starting to protect citizens," from privacy violations by healthcare entities, she said. "Nearly a decade of no enforcement at all convinced the health care and health IT industries that there was no point in investing in state-if-the-art security."
Today's settlement follows an investigation by HHS's Office of Civil Rights into complaints by two unidentified celebrity patients that UCLA hospital staff had inappropriately accessed their electronic protected health information.