Computerworld - After years of being accused of doing little to enforce Health Insurance Portability and Accountability Act's security and privacy rules, the U.S. Department of Health and Human Services appears to be finally getting serious about cracking down on offenders.
This week, HHS announced that the University of California at Los Angeles Health System has agreed to pay an $865,000 fine and commit to a multi-year corrective action plan to settle potential HIPAA violations.
The corrective plan requires the hospital to implement HHS-approved security and privacy procedures, as well as to conduct "regular and robust" training of all UCLA health system employees that use protected health information. The plan requires the hospital to sanction employees who violate rules and to appoint an independent assessor to audit compliance with the requirements over a three-year period.
The size of the fine is likely to be a drop in the bucket for UCLA, analysts said. Even so, it sends an important message, they said. "This is new behavior on the part of HHS and it stems from the new enforcement imperatives Congress put into HITECH because the feds had such an abysmal enforcement record," said Deborah Peel, founder and chairman of the Patient Privacy Rights Foundation.
"This is HHS finally starting to protect citizens," from privacy violations by healthcare entities, she said. "Nearly a decade of no enforcement at all convinced the health care and health IT industries that there was no point in investing in state-if-the-art security."
Today's settlement follows an investigation by HHS's Office of Civil Rights into complaints by two unidentified celebrity patients that UCLA hospital staff had inappropriately accessed their electronic protected health information.
The OCR investigation uncovered numerous other instances between 2005 and 2009 where hospital employees had looked at protected health information belonging to other patients as well.
Statements announcing the settlement that were released today by the HHS and UCLA do not identify any specific violation. However, back in April 2008 the hospital had disclosed that it had detected whole groups of employees and even doctors snooping on the medical records of celebrities such as Tom Cruise and Farrah Fawcett.
At that time, the hospital had noted that the snooping went back to 1995. One person was indicted for selling data acquired from such snooping to the media.
This marks the third time this year that HHS has cracked down on healthcare organizations that have been found in violation of HIPAA rules. In February, HHS announced that it had imposed a civil monetary penaltyof $4.3 million on health insurer Cignet Health for refusing to provide patients with access to their medical records as required under HIPAA.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
