HIPAA Enforcement Against UCLA and New Rule Proposal Bring Scrutiny to Workforce Access to Health Information


On May 31, 2011, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) that would provide individuals with a new right under HIPAA. The NPRM would allow individuals to request an “access report” from HIPAA covered entities that must reflect virtually every instance of access to their electronic protected health information (ePHI), including all access by individual employees. Weeks later, OCR followed the NPRM’s release with an announcement on July 7, 2011 that it had entered into an $865,000 settlement with the University of California at Los Angeles Health Systems (UCLAHS) to resolve potential HIPAA violations raised by celebrity complainants who claimed that employees of UCLAHS repeatedly looked at their ePHI without a permissible purpose. Employee “snooping” of this nature is precisely the type of behavior that the new “access report” described in the NPRM would capture. Individuals’ ability to request such reports from covered entities (and OCR’s ability to do the same) not only creates a new and burdensome obligation for covered entities, but also creates new enforcement risks in the process.

OCR’s enforcement action against UCLAHS followed an extended period in which employees allegedly repeatedly accessed ePHI of many patients, including several celebrity patients, when they did not have any job-related need to access the data. OCR’s investigation of this potential HIPAA violation led to the identification of multiple alleged deficiencies by UCLAHS under the Privacy and Security Rules. These included failing to implement security controls to reduce the risk of impermissible access, failing to provide Security Rule training, and failing to apply appropriate sanctions against workforce members who violated UCLAHS policies and procedures. The end result for UCLAHS was imposition of an $865,500 resolution amount and a Corrective Action Plan (CAP). The CAP has a three-year duration that begins once OCR approves the “Monitor Plan” established by UCLAHS, which includes, among other items...

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:


Poyner Spruill LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.