UCLA Health System intensifies medical record security following a $865,000 settlement for high-profile violations of patient privacy

On the heels of a hefty court settlement over a confidential records breach, the UCLA Health System is administering further safeguards to prevent unauthorized viewing of patients’ medical records.

Last week, the health system agreed to an $865,000 settlement with federal health regulators over a series of incidents that allegedly took place between 2005 and 2009. During that time period, multiple hospital employees were reported and fired for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

These staff members allegedly viewed the medical records of celebrities including Britney Spears, Farrah Fawcett and former California first lady Maria Shriver, said Roxanne Moster, UCLA Health System spokeswoman.

Hoping to stave off future incidents, the UCLA Health System has collaborated with the U.S. Department of Health and Human Services for the past three years, holding in-depth training and putting in place further levels of security for private records, Moster said.

In addition, three hospitals ““ Ronald Reagan Medical Center, Santa Monica Medical Center and Orthopaedic Hospital, and the Resnick Neuropsychiatric Hospital ““ have planned for more frequent monitoring of information access.

The system’s plan to ensure patient confidentiality involves more regular training sessions for those with access to health information. It will also sanction those who violate policy and appoint an independent supervisor to track the hospital’s compliance, according to a news release by the U.S. Department of Health and Human Services Office for Civil Rights.

Privacy breaches, such as those reported at UCLA, are symptomatic of a systemwide issue, said Julie Cantor, professor at the UCLA School of Law.

Human curiosity can overcome policy, especially in cases involving celebrities, she said.

“It is human nature to be curious about people who are living really interesting and fantastic lives,” she said.

Leo Braudy, a professor of English and history at the University of Southern California, specializes in fame culture. He said some are willing to place themselves in risky positions in order to expose the weaknesses of those who appear to have fascinating, surreal lives.

“No matter how many privacy contracts are signed and jobs in jeopardy, there are always people who don’t think they’ll be caught,” Braudy said. “Does a celebrity have a life-threatening illness or have a mole somewhere not usually visible? There are little details someone would pay to know about.”

Given some employees’ inherent curiosity and willingness to take risks, health entities should provide as many safeguards as possible to prevent violation, Braudy said.

“The fascination will always be there, but institutions can protect themselves against it,” he said.

Under HIPAA, entities providing care for patients must keep records private, restricting access only to those with a valid reason to view the information, said Georgina Verdugo, director of the Office for Civil Rights.

HIPAA aims to promote transparency so patients will feel comfortable providing detailed medical information and in turn receive the best care possible, Cantor said. In hospitals, transparency is essential for proper diagnosis and treatment, and fear of breached privacy may discourage patients from providing that full range of information, she said.

“If you don’t feel like your information will remain confidential, it’s pretty difficult for you to be completely honest to your provider, and if you’re a provider and you’re not getting the honest story, it keeps you from providing the best care,” Cantor said.

But an understanding of privacy and security policy in hospitals is not enough, Verdugo said. Compliance must become second nature to employees and a key part of every action performed at work, she said.

Keeping in mind that the risk of violation is always there, health entities must be consistent with implementing and enforcing policy and setting uniform, centralized standards, Verdugo said. Hospitals must also constantly review and update policies and routinely audit employee access to protected health information, she added.

“We have to keep things confidential, not because it’s a nice thing to do, but because it is serious and important to providing proper health care,” Cantor said.