In response, the California legislature passed a law that imposed escalating fines on hospitals for patient privacy breaches, and the state fined UCLAHS $95,000 in 2009. One employee was indicted for selling protected health information to the National Enquirer, Feinberg says.
The Office for Civil Rights launched an investigation in 2009 and determined that, from 2005 to 2008, "unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients," according to an OCR press release. OCR announced recently that the UCLA Health System has agreed to settle its investigation into the incident for $865,500 and also to commit to a corrective action plan aimed at remedying gaps in its HIPAA compliance. This plan requires the implementation of privacy and security policies and procedures approved by OCR, "regular and robust" training for all UCLAHS employees who use PHI, sanctioning of offending employees, and an independent monitor who will assess UCLAHS compliance with the plan over three years.
Feinberg readily admits that the UCLAHS culture of several years ago did not include sufficient respect for patient privacy, but he also says that UCLAHS was not that different from other healthcare systems at that time. Respect for patient privacy has improved greatly throughout the healthcare community, partly as a result of privacy breaches that received national attention and resulted in people losing their jobs, he says.
Coming down hard on the employees who violated patient privacy sent a strong message to staff, he says.