After years of being accused of doing little to enforce Health Insurance Portability and Accountability Act's security and privacy rules, the U.S. Department of Health and Human Services appears to be finally getting serious about cracking down on offenders.
This week, HHS announced that the University of California at Los Angeles Health System has agreed to pay an $865,000 fine and commit to a multi-year corrective action plan to settle potential HIPAA violations.
The corrective plan requires the hospital to implement HHS-approved security and privacy procedures, as well as to conduct "regular and robust" training of all UCLA health system employees that use protected health information. The plan requires the hospital to sanction employees who violate rules and to appoint an independent assessor to audit compliance with the requirements over a three-year period.
The size of the fine is likely to be a drop in the bucket for UCLA, analysts said. Even so, it sends an important message, they said. "This is new behavior on the part of HHS and it stems from the new enforcement imperatives Congress put into HITECH because the feds had such an abysmal enforcement record," said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation.
"This is HHS finally starting to protect citizens," from privacy violations by healthcare entities, she said. "Nearly a decade of no enforcement at all convinced the health care and health IT industries that there was no point in investing in state-if-the-art security."
Today's settlement follows an investigation by HHS's Office of Civil Rights into complaints by two unidentified celebrity patients that UCLA hospital staff had inappropriately accessed their electronic protected health information.
The OCR investigation uncovered numerous other instances between 2005 and 2009 where hospital employees had looked at protected health information belonging to other patients as well.
Statements announcing the settlement that were released today by the HHS and UCLA do not identify any specific violation. However, back in April 2008 the hospital had disclosed that it had detected whole groups of employees and even doctors snooping on the medical records of celebrities such as Tom Cruise and Farrah Fawcett.
At that time, the hospital had noted that the snooping went back to 1995. One person was indicted for selling data acquired from such snooping to the media.
This marks the third time this year that HHS has cracked down on healthcare organizations that have been found in violation of HIPAA rules. In February, HHS announced that it had imposed a civil monetary penaltyof $4.3 million on health insurer Cignet Health for refusing to provide patients with access to their medical records as required under HIPAA.
That was the first civil penalty handed out since HIPAA went into effect more than 10 years ago.
Again in February, HHS said it had also gotten Massachusetts General Hospital to agree to pay $1 million to settle HIPAA violation charges.
Peel said it is hard to know if the settlement amount is even close to adequate without knowing how many people might have been impacted by the snooping. But based on current health care data breach statistics, the assessed fine was probably "extremely low."
"Clearly this settlement was intended to signal that it's time at last for the health care industry to beef up data security and protect patients' sensitive health data from snooping and misuse," she said.
Even so, the fine and corrective action plan do little to protect the unknown number of victims whose private data was compromised by the snooping, she said. Everyone who was a patient at UCLA between 2005 and 2009 should be getting credit monitoring and medical ID theft monitoring services, she said.
Peter MacKoul, president of consulting firm HIPAA Solutions, said the settlement underscores why health care entities need to have both technical controls and business processes for controlling access to protected data.
Many health care organizations have little real information on the number of people within their organizations that have access to electronic medical records, and even less information on those who might have actually accessed those records, he said.
He said that is why it is important for healthcare entities to implement role-based access control measures and processes for ensuring compliance with those measures.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .
Read more about privacy in Computerworld's Privacy Topic Center.