UCLA Hospital Hit With HIPAA Fine On Celeb Records 57
Trailrunner7 writes "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. This is the third major HIPAA fine issued by the Department of Health and Human Services in 2011, following a fine of $4.3 million for Cignet and a penalty of $1 million for Massachusetts General Hospital."
Re: (Score:2)
What is a papatatzi?
Paparazzi with a tattoo?
Pledged to tweak their infrastructure (Score:2)
Re:Pledged to tweak their infrastructure (Score:5, Insightful)
I was thinking it sounds like "fire those involved and make it very clear too all remaining employees that those involved were fired and are unlikely to get another job in the medical field after being terminated for a HIPPA violation...
Re: (Score:2)
ugg... to...
Re: (Score:3)
I agree!
I work at a health insurance company and everyone in the company was required to take HIPPA training. It was very thorough, and I assume everyone else in the Health Industry had to go through something similar. On top of that, the pharmacy reminds you of it and whenever I see a new doctor I get to read yet more documentation regarding HIPPA and then sign it.
The employees involved should have known they were doing something that was that was not only illegal, but that it would endanger their career
Re: (Score:2)
>regarding HIPPA
The training must not have been very good if you did not learn how to spell the acronym.
Re: (Score:3)
Argghhh!
My apologies, you are correct.
HIPAA(Health Insurance Portability and Accountability Act)
For some reason I often think "Health Insurance Portability and Privacy Act", which seems more appropriate. There is a lot of emphasis on privacy, and yet it's not in the acronym. I must confess that remembering what the acronym stood for was a question I got wrong, but I got the rest right.
Re: (Score:2)
Re: (Score:1)
Shocked, shocked I tell you! (Score:5, Insightful)
Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.
Re: (Score:1)
Re: (Score:1)
As somebody who works in the medical record field as a 'consultant', this is grossly impractical.
Records get accessed hundreds of times a day by hundreds of people for all sorts of reasons. It be a full time effort by a good sized team of people to even begin to look into the audit logs.
Now any good EMR suite will allow the locking of sensitive records which prevents unauthorized access such as this. However, they typically will allow a 'break the glass' scenario where anybody CAN access the record in an em
Re: (Score:3)
Scope matters (Score:2)
I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine.
You can access the sealed filings from cases all across the country?
No? Maybe that makes a difference.
Re: (Score:2)
Re: (Score:2)
You can access the sealed filings from cases all across the country?
if he's lulzsec, I bet he could...
Re: (Score:2)
You can access the sealed filings from cases all across the country?
No? Maybe that makes a difference.
I don't see the relevance here.
The only thing I can figure, is that you have a vastly distorted view of EMR. I think a uncomfortably large portion of the populace has b\ought the shit that Siemens is shoveling in their ads.
There isn't a vast network spanning the country of EMRs that can be accessed by anyone connected to it. Not ever spanning a city (with limited exceptions). Each hospital/dr office/whatever has their own system, with their own records. I can't work at SmallRegionalHospital and access
Re: (Score:2)
Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.
Well said, and artfully argued, I might add. It should be pointed out that since almost forever, medical records have lived on paper in large, poorly secured rooms. Audit trails, if they existed at all, were little more than a sign in sheet by the door. The breach that was caught and dealt with in this case would likely have gone undetected, or the perpetrators un-identified at least, before the advent of EMR. Then again, I did work in one hospital where the records of a certain class of patients were consi
Re: (Score:3, Interesting)
Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.
Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.
I'm not sure I'm all in for that statement. Almost all EMRs these days have pretty robust security controls, and it's rare that celebrity patients come in on unplanned visits where that "all access" kind of response is necessary. Where it is, it's usually handled in the ED, where the expectation of privacy is necessarily low. In the case that the patient is a regular admission, a pre-admit for a procedure/care, or anything other than getting hit by a bus or other trauma, there are well-established practices
get rid the HMO bs and then billing will not be th (Score:2)
get rid the HMO bs and then billing will not be the fall point for people who don't want there real name listed.
sounds like sound risk management to me. (Score:3)
Because she's famous, it increased the risk that people would access the records unnecessarily, and this behavior seemed like a logical response to manage that risk.
Re: (Score:3)
In a civilized country, there wouldn't have to be any billing for something like a delivery.
Re: (Score:2)
Re: (Score:2)
Obvious potential for abuse, so all of the protections have to be post hoc.
In every other case, the employee would simply be fired and have to find a new line of work. Fining the employer for an infrastructure that is working as designed only increases medical costs for everyone. Worse, I highly doubt this fine would have been levied if it had been a homeless person instead of a celebrity. Effectively we're paying for celebrity ego here.
And so... (Score:1)
This is why I'm against surveillance as a means to deal with crime.
I don't necessarily have a problem with surveillance in and of itself; but I do have a problem when humans are the ones in control of it. You simply cannot trust that everybody who has access to information will not abuse it.
Give people the opportunity to take advantage of other people, and it will happen.
Re: (Score:2)
HIPAA is a travesty (Score:4, Insightful)
I work in the electronic medical records industry, and I can tell you that HIPAA protects your privacy about as well as those multi-page "privacy policy" letters you get from your bank and other businesses...you know, the ones that tell you, in lots of fine print, that they will do whatever they want with your information.
Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!
What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes. It also costs hospitals and doctors tons of money to comply (I know, my company is the recipient of some of that money)...and that in turn drives up the cost of health care.
HIPAA may have been created with good intentions in mind, but it is a travesty and can't be repealed fast enough!
Re: (Score:2)
Not saying you're bullshitting or anything but my father was hospitalized last year over a severe infection in his hand. He was so sick from it that he was out of it and unable to sign any paperwork. The doctors who saw him were very up front with me about their thoughts and fears about his health.
Are you suggesting that they violated HIPAA by telling me? I was under the impression HIPAA was more about sharing information with non relatives, or to stop those who can access the information from accessing it
Re: (Score:3, Insightful)
You are correct, that is what HIPAA was supposed to be about. You are fortunate.
The problem is, it all depends on how the specific doctor or hospital interprets their obligations under HIPAA. Some of them are reasonable, but others grossly exaggerate the level of privacy required by the law.
In our business, we often have to read document after document just to try to understand the requirements. If WE have to do that, how in the world can a small doctor's office apply the law correctly? The truth is, th
Re: (Score:1)
Regulation is intended to eliminate small and efficient competitors, see raw milk, beef industry, heck, even freaking barbers are regulated and need to study to get licensed.
Well, barbers are more about exclusion of newcomers in terms of labor (i.e. unions), in comparison of the other examples where big business is putting hurdles for small businesses using the power of the state. Nevertheless, both have the goal of raising the bar to entry.
Re: (Score:2)
HIPAA does nothing more than create mountains of paperwork (or electronic forms). It makes no real difference in privacy in any meaningful way, but it sure does keep a lot of HIPAA consultants employed.
Re: (Score:1)
Why not jail for the offenders? (Score:2)
The article states that the employees had no reason for accessing the records. How about puerile curiosity? What they didn't have was a legitimate reason.
The hospital says it needs to conduct “regular and robust” trainings for employees that access sensitive information. What a load of crap. This is the same bullshit response police departments give when cops steal your camera when you record them. Both parties knew what they were doing was wrong BEFORE they did it. The answer is serious jail ti
But will they pay? (Score:2)
We read about fines like this all the time but there is no follow-up to see if they are ever paid. It's similar to the drug busts where law enforcement agencies assign an arbitrary massively inflated value to the confiscated material to make themselves look good. Agencies declare these fines so they look good in the press, but are they ever actually paid? In full? On time?
Or as they say in the hospital... (Score:2)
Knock knock!
Who's there?
HIPAA.
HIPAA who?
Sorry, I'm not allowed to say.
Re: (Score:2)
Hm. So being a celebrity is an offense potentially punishable by death now?
-Mike
I hate to break this to you, but (Score:2)
Much of the access to these protected records come from minimum-wage (or slightly better) data entry workers. There's a huge amount of paperwork generated for each hospital patient and they handle it all.
Imagine if you're one of these people; working long days at a keyboard for barely enough to live on - and someone offers you a significant "bonus" for giving them a copy of this or that file.
This goes on every day at your hospital, your motor vehicle licensing and driver's licensing department, etc. There's