UCLA Health System Settles Potential HIPAA Privacy and Security Violations

The Department of Health and Humans Services reached it third settlement this year with a healthcare organization for violations of the HIPAA regulations when UCLA agreed to pay $865,000 to resolve charges that employees were inappropriately snooping into the records of celebrity patients.

In the previous settlements of 2011, Massachusetts General agreed to pay a fine of $1,000,o00 and Cignet Health of Prince George's County agreed to a fine of $4,300,000. Clearly HHS is taking these violations much more seriously than had been done in the first 14 years of HIPAA's existence.

Organizations that deal with PHI need to have clearly defined policies and procedures to protect patient data, training to make sure that employees are aware of the rules, and most importantly methods that can be used to monitor that the policies are being followed. If you are the CISO of a healthcare organization you should be asking yourself questions such as:

• Are all of the laptops that access our systems encrypted?


• How do I validate that they are encrypted?


• Are we monitoring access to patient information?


• How do we detect inappropriate access to PHI?

The stakes are being raised and the privacy groups within Healthcare organizations have to respond accordingly.