Forgot your password?
typodupeerror
Government Privacy Security Your Rights Online

UCLA Hospital Hit With HIPAA Fine On Celeb Records 57

Posted by timothy
from the easier-than-getting-madonna's-pap-smear dept.
Trailrunner7 writes "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. This is the third major HIPAA fine issued by the Department of Health and Human Services in 2011, following a fine of $4.3 million for Cignet and a penalty of $1 million for Massachusetts General Hospital."
This discussion has been archived. No new comments can be posted.

UCLA Hospital Hit With HIPAA Fine On Celeb Records

Comments Filter:
  • Sounds like hospital speak for slap a band aid on it and hope they don't get caught again.
    • by ethanms (319039) on Saturday July 09, 2011 @09:07AM (#36704122)

      I was thinking it sounds like "fire those involved and make it very clear too all remaining employees that those involved were fired and are unlikely to get another job in the medical field after being terminated for a HIPPA violation...

      • by ethanms (319039)

        ugg... to...

      • by NeoMorphy (576507)

        I agree!

        I work at a health insurance company and everyone in the company was required to take HIPPA training. It was very thorough, and I assume everyone else in the Health Industry had to go through something similar. On top of that, the pharmacy reminds you of it and whenever I see a new doctor I get to read yet more documentation regarding HIPPA and then sign it.

        The employees involved should have known they were doing something that was that was not only illegal, but that it would endanger their career

        • by scottv67 (731709)
          >HIPPA training
          >regarding HIPPA

          The training must not have been very good if you did not learn how to spell the acronym.
          • by NeoMorphy (576507)

            Argghhh!

            My apologies, you are correct.

            HIPAA(Health Insurance Portability and Accountability Act)

            For some reason I often think "Health Insurance Portability and Privacy Act", which seems more appropriate. There is a lot of emphasis on privacy, and yet it's not in the acronym. I must confess that remembering what the acronym stood for was a question I got wrong, but I got the rest right.

      • Hmm... I think you just saved the company money by not putting a bandaid on the situation. Imagine if they actually had to rewrite some software to lock access to records etc. You're right, termination does work better.
      • The punishment depends on who you are. Clerks get fired. Nurses may get fired, depending on whether they are in a Union or not. They may also be suspended without pay. It varies. The last time that I really looked at this, I could not find a case of a doctor a being fired for a HIPAA (yes, that is the acronym....it has nothing to do with hippos) violation. They might be suspended without pay.
  • by overshoot (39700) on Saturday July 09, 2011 @09:00AM (#36704080)
    Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

    Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

    • Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slappe
      • I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine.

        You can access the sealed filings from cases all across the country?

        No? Maybe that makes a difference.

        • Ok, you got a point there - Obviously I can only access stuff inside the firm. But then again, would it really change anything? In the end, it remains a matter of my professional obligation and honor to keep my mouth shut.
        • You can access the sealed filings from cases all across the country?

          if he's lulzsec, I bet he could...

        • You can access the sealed filings from cases all across the country?

          No? Maybe that makes a difference.

          I don't see the relevance here.

          The only thing I can figure, is that you have a vastly distorted view of EMR. I think a uncomfortably large portion of the populace has b\ought the shit that Siemens is shoveling in their ads.

          There isn't a vast network spanning the country of EMRs that can be accessed by anyone connected to it. Not ever spanning a city (with limited exceptions). Each hospital/dr office/whatever has their own system, with their own records. I can't work at SmallRegionalHospital and access

      • by Jawnn (445279)

        Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.

        Well said, and artfully argued, I might add. It should be pointed out that since almost forever, medical records have lived on paper in large, poorly secured rooms. Audit trails, if they existed at all, were little more than a sign in sheet by the door. The breach that was caught and dealt with in this case would likely have gone undetected, or the perpetrators un-identified at least, before the advent of EMR. Then again, I did work in one hospital where the records of a certain class of patients were consi

    • Re: (Score:3, Interesting)

      by Saerko (1174897)

      Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

      Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

      I'm not sure I'm all in for that statement. Almost all EMRs these days have pretty robust security controls, and it's rare that celebrity patients come in on unplanned visits where that "all access" kind of response is necessary. Where it is, it's usually handled in the ED, where the expectation of privacy is necessarily low. In the case that the patient is a regular admission, a pre-admit for a procedure/care, or anything other than getting hit by a bus or other trauma, there are well-established practices

    • Obvious potential for abuse, so all of the protections have to be post hoc.

      In every other case, the employee would simply be fired and have to find a new line of work. Fining the employer for an infrastructure that is working as designed only increases medical costs for everyone. Worse, I highly doubt this fine would have been levied if it had been a homeless person instead of a celebrity. Effectively we're paying for celebrity ego here.

  • by Anonymous Coward

    This is why I'm against surveillance as a means to deal with crime.

    I don't necessarily have a problem with surveillance in and of itself; but I do have a problem when humans are the ones in control of it. You simply cannot trust that everybody who has access to information will not abuse it.

    Give people the opportunity to take advantage of other people, and it will happen.

    • by swalve (1980968)
      The only way to stop crime is to stop people from wanting to do it, and increasing the chances they get caught is one of the ways to do that. You don't want a society of people who never have had to make "should I, shouldn't I" decisions. They will all run into traffic the second the styrofoam fence develops a hole.
  • by Tony Isaac (1301187) on Saturday July 09, 2011 @09:23AM (#36704190) Homepage

    I work in the electronic medical records industry, and I can tell you that HIPAA protects your privacy about as well as those multi-page "privacy policy" letters you get from your bank and other businesses...you know, the ones that tell you, in lots of fine print, that they will do whatever they want with your information.

    Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!

    What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes. It also costs hospitals and doctors tons of money to comply (I know, my company is the recipient of some of that money)...and that in turn drives up the cost of health care.

    HIPAA may have been created with good intentions in mind, but it is a travesty and can't be repealed fast enough!

    • Not saying you're bullshitting or anything but my father was hospitalized last year over a severe infection in his hand. He was so sick from it that he was out of it and unable to sign any paperwork. The doctors who saw him were very up front with me about their thoughts and fears about his health.

      Are you suggesting that they violated HIPAA by telling me? I was under the impression HIPAA was more about sharing information with non relatives, or to stop those who can access the information from accessing it

      • Re: (Score:3, Insightful)

        by Tony Isaac (1301187)

        You are correct, that is what HIPAA was supposed to be about. You are fortunate.

        The problem is, it all depends on how the specific doctor or hospital interprets their obligations under HIPAA. Some of them are reasonable, but others grossly exaggerate the level of privacy required by the law.

        In our business, we often have to read document after document just to try to understand the requirements. If WE have to do that, how in the world can a small doctor's office apply the law correctly? The truth is, th

        • by Anonymous Coward

          Regulation is intended to eliminate small and efficient competitors, see raw milk, beef industry, heck, even freaking barbers are regulated and need to study to get licensed.

          Well, barbers are more about exclusion of newcomers in terms of labor (i.e. unions), in comparison of the other examples where big business is putting hurdles for small businesses using the power of the state. Nevertheless, both have the goal of raising the bar to entry.

      • by pete6677 (681676)

        HIPAA does nothing more than create mountains of paperwork (or electronic forms). It makes no real difference in privacy in any meaningful way, but it sure does keep a lot of HIPAA consultants employed.

      • Look, let's hypothetically say you had the case above and it turned out your father had AIDS. I wouldn't want my kids to know that. "He's ill" should really be the only thing I would want my doctors to say.
  • The article states that the employees had no reason for accessing the records. How about puerile curiosity? What they didn't have was a legitimate reason.

    The hospital says it needs to conduct “regular and robust” trainings for employees that access sensitive information. What a load of crap. This is the same bullshit response police departments give when cops steal your camera when you record them. Both parties knew what they were doing was wrong BEFORE they did it. The answer is serious jail ti

  • We read about fines like this all the time but there is no follow-up to see if they are ever paid. It's similar to the drug busts where law enforcement agencies assign an arbitrary massively inflated value to the confiscated material to make themselves look good. Agencies declare these fines so they look good in the press, but are they ever actually paid? In full? On time?

  • Knock knock!
    Who's there?
    HIPAA.
    HIPAA who?
    Sorry, I'm not allowed to say.

  • Much of the access to these protected records come from minimum-wage (or slightly better) data entry workers. There's a huge amount of paperwork generated for each hospital patient and they handle it all.

    Imagine if you're one of these people; working long days at a keyboard for barely enough to live on - and someone offers you a significant "bonus" for giving them a copy of this or that file.

    This goes on every day at your hospital, your motor vehicle licensing and driver's licensing department, etc. There's

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...