HIPAA Enforcement Against UCLA and New Rule Proposal Bring Scrutiny to Workforce Access to Health Information

more+
less-

On May 31, 2011, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) that would provide individuals with a new right under HIPAA. The NPRM would allow individuals to request an “access report” from HIPAA covered entities that must reflect virtually every instance of access to their electronic protected health information (ePHI), including all access by individual employees. Weeks later, OCR followed the NPRM’s release with an announcement on July 7, 2011 that it had entered into an $865,000 settlement with the University of California at Los Angeles Health Systems (UCLAHS) to resolve potential HIPAA violations raised by celebrity complainants who claimed that employees of UCLAHS repeatedly looked at their ePHI without a permissible purpose. Employee “snooping” of this nature is precisely the type of behavior that the new “access report” described in the NPRM would capture. Individuals’ ability to request such reports from covered entities (and OCR’s ability to do the same) not only creates a new and burdensome obligation for covered entities, but also creates new enforcement risks in the process.

OCR’s enforcement action against UCLAHS followed an extended period in which employees allegedly repeatedly accessed ePHI of many patients, including several celebrity patients, when they did not have any job-related need to access the data. OCR’s investigation of this potential HIPAA violation led to the identification of multiple alleged deficiencies by UCLAHS under the Privacy and Security Rules. These included failing to implement security controls to reduce the risk of impermissible access, failing to provide Security Rule training, and failing to apply appropriate sanctions against workforce members who violated UCLAHS policies and procedures. The end result for UCLAHS was imposition of an $865,500 resolution amount and a Corrective Action Plan (CAP). The CAP has a three-year duration that begins once OCR approves the “Monitor Plan” established by UCLAHS, which includes, among other items...

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Published In: Administrative Agency Updates, Business Organization Updates, Health Updates, Labor & Employment Updates, Privacy Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »